Route-maps & HSRP problem

smeroz · ‎09-04-2025

Hello experts. I have an issue with route-map.

*** Router A relevant configuration: ***
hostname Router_A
!
track 2 ip sla reachability
!
interface GigabitEthernet0/0
description LAN_A
ip address 100.100.100.3 255.255.0.0
standby 1 ip 100.100.100.2
standby 1 priority 110
standby 1 preempt
ip policy route-map pbr
!
interface GigabitEthernet0/1
description WAN_A
ip address 50.0.0.1 255.255.255.0
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 100.100.100.1
ip route 20.0.0.0 255.0.0.0.0 50.0.0.2
!
ip access-list extended pbr-acl
permit tcp 100.200.200.0 any any eq 5555 2222
!
ip sla 2
icmp-echo 100.100.100.4 source-interface GigabitEthernet0/0
frequency 5
!
route-map pbr permit 10
match ip address access-list pbr-acl
set ip next-hop verify availability 100.100.100.4 1 track 2
route-map pbr permit 20
!
end

*** Router B relevant configuration: ***
!
hostname Router_B
!
interface GigabitEthernet0/0
description LAN_B
ip address 100.100.100.4 255.255.0.0
standby 1 ip 100.100.100.2
standby 1 preempt
!
interface GigabitEthernet0/1
description WAN_B
ip address 51.0.0.1 255.255.0.0
negotiation auto
!
ip route 0.0.0.0 0.0.0.0 100.100.100.1
ip route 20.0.0.0 255.0.0.0.0 51.0.0.2
!
end

After consulting with ChatGPT, everything appears to be in order, but that isn't the case.
For some reason, all traffic from the firewall (100.100.100.1) is being rerouted from Router_A to Router_B.
A tracerout from 100.150.150.150 to 20.20.20.20 shows:
...
4 <1ms <1ms <1ms 100.100.100.3
5 <1ms <1ms <1ms 100.100.100.4
6 4ms 4ms 4ms 51.0.0.2
...

Address 100.150.150.150 should not match the access list and therefore shouldn't be redirected to 100.100.100.4

Router_A#show route-map pbr
route-map pbr, permit, sequence 10
Match clauses:
ip address (access-lists): pbr-acl
Set clauses:
ip next-hop verify-availability 100.100.100.4 1 track 2 [up]
Policy routing matches: 178068588 packets, 181039745065 bytes
route-map pbr, permit, sequence 20
Match clauses:
Set clauses:
Policy routing matches: 0 packets, 0 bytes

This seems to show that all packets are incorrectly matching the access list, even though they shouldn't. Any ideas?

Enes Simnica · ‎09-04-2025

gDay @smeroz that is a great question. And from what u’ve shared, the issue looks like it’s coming from your access list. In ur config u have:

ip access-list extended pbr-acl
permit tcp 100.200.200.0 any any eq 5555 2222

That syntax doesn’t look right. Because in Cisco ACLs, when u want to permit a range of ports, u need to use range, not just stack two ports. For example:

permit tcp 100.200.200.0 0.0.0.255 any range 5555 2222

As it stands, the ACL may be behaving unexpectedly and matching more than you intended, which explains why all traffic is hitting sequence 10 of your route-map and being sent toward Router B.

I’d recommend tightening that ACL - specify the source subnet mask, fix the port syntax, and double-check with a show access-lists pbr-ac lwhile generating traffic from 100.150.150.150 to confirm it’s not matching.

And once the ACL is corrected, only the intended traffic should be policy-routed, and everything else should follow the normal routing table.......

hope it helps!

-Enes
CCNP x2 Enterprise
Your Friendly Networking Ninja

more Cisco?!
more Gym?!

If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!

MHM Cisco World · ‎09-04-2025

Firewall and two router run hsrp? Is that correct

Check that

1- FW must have defualt or static route toward VIP of HSRP

2- config pbr in both hsrp peer

MHM

David Ruess · ‎09-04-2025

Hello,

The syntax for your ACL doesn't look quite correct.

You have:

ip access-list extended pbr-acl
permit tcp 100.200.200.0 any any eq 5555 2222

Can you change it to:

ip access-list extended pbr-acl
permit tcp 100.200.200.0 any eq 5555 eq 2222

You may have an extra 'any" in there and if you are trying to do individual ports you need to specify them with the eq statement.

Can you verify if this works after making the changes?

-David

MHM Cisco World · ‎09-04-2025

I think if any wrong in ACL command the router reject it.

MHM

Jens Albrecht · ‎09-04-2025

Correct. The syntax of the ACL is invalid and the router will throw an error message.

However, if you just copy & paste the entire config proposed by ChatGPT into the router at once, most people will miss the error messages and then wonder why things are not working as expected...

@smeroz Do a 'show access-list' and post the output.

David Ruess · ‎09-04-2025

Thats what I thought but the syntax looked like it has too many arguments.

MHM Cisco World · ‎09-04-2025

thanks
let wait him share the show access list

MHM

smeroz · ‎09-07-2025

Hello David. As I posted earlier, the "any any" was a typo. I later changed it to:
permit tcp 100.200.200.0 any eq 5555
permit tcp 100.200.200.0 any eq 2222
But that didn't change anything.

MHM Cisco World · ‎09-04-2025

He share this

So line 10 of PBR is work

Router_A#show route-map pbr
route-map pbr, permit, sequence 10
Match clauses:
ip address (access-lists): pbr-acl
Set clauses:
ip next-hop verify-availability 100.100.100.4 1 track 2 [up]
Policy routing matches: 178068588 packets, 181039745065 bytes

Issue of redirect is config pbr with hsrp

The FW forward traffic to specific IP and router send re-direct (he can disable icmp redirect as workaround)

The network design is wrong

He need

FW point to VIP of hsrp

And both HSRP router have identical route' otherwise he will face always redirect.

""Again as workaround @smeroz can disable icmp redirect in interface""

Jens Albrecht · ‎09-04-2025

So line 10 of PBR is work

The router does NOT check whether an ACL exists when you configure the route-map!

So if the creation of the ACL fails due to syntax errors, you can still create the route-map that refers to that ACL, even though it does not exist. The router treats this as a 'match any' and therefore all traffic is rerouted.

MHM Cisco World · ‎09-04-2025

traffic is redirect check trace route he share

MHM

Jens Albrecht · ‎09-04-2025

Yes, that's what I said.

If the ACL that is referenced in the route-map does not exist, the permit 10 statement works as a match any.
The router ignors the 'match ip address access-list pbr-acl' statement and without a valid match statement, it matches all traffic.
Hence all traffic is redirected.

MHM Cisco World · ‎09-04-2025

@smeroz by the way

route-map pbr permit 10
match ip address access-list pbr-acl
set ip next-hop verify availability 100.100.100.4 1 track 2
route-map pbr permit 20 <<- no need this' it pbr not route-map of filter or modify prefix

MHM

Stefan Mihajlov · ‎09-04-2025

@smeroz

You just need to correct the ACL so it matches only the specific subnet and ports you want, then reference that ACL properly in the route-map. After fixing it, check with show access-lists to confirm hits are only on the intended traffic. Also make sure your firewall points to the HSRP VIP as the default gateway, and consider disabling ICMP redirects to avoid unwanted reroutes.

–––
Best regards,
Stefan Mihajlov

Mark this post as Helpful if it helped you, and Accept as Solution if it resolved your question.