cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1578
Views
55
Helpful
23
Replies

3750x HSRP issue

7layer
Level 1
Level 1

Dear all,

 

I'm having a vired issue with my HSRP config, because the nodes cannot see each other properly.

When I noticed the issue first I thought the trouble lies at layer2 with the SG300 switch where the two 3750x connected to.

But we have moved the second switch uplink to the first switch and same trouble, they still cannot communicate via the same VLAN for some reason. In this test the trunk had all VLAN enabled and still no luck.

 

I have this setup at a different location and it does work fine.

One thing is different though which is here there is an ACL applied for the VLAN that you cannot see in this config but other VLAN's have few ACL's.

Those VLAN's where ACL applied the policy has been added for HSRP to work: (permit ip any host 224.0.0.2) 

But as you can see in this VLAN 100 there is no ACL and still the HSRP cannot see each other.

The switch one has both IP and switch two has first standy and second active.

 

Also other interesting issue is that if I use the second switch as gateway on pingplotter I can see that the the first hop is flipping. So 8.8.8.8 trace the first gw is 172.20.0.11 and in the next 3 sec it changes to 172.20.0.21 and vica versa flipping.

 

Obviosly the HSRP would be the HA solution here and it is not working as it should.

I fully run out of ideas so I wold much appreaciate if anyone would advise what to do here.

 

Only different between the two switches is the IOS.

First switch: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(58r)SE1, RELEASE SOFTWARE (fc1)

Second switch: C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)

But I would be really surprised if this would be the issue, because I have managed to make work together an 12+ years old 3550 with a brand new 3750x on HSRP V1 when I was upgrading core switches and they worked well with 10+ years different HW and different SW. Here there is an almost similar 3750x only few release betwheen them.

 

Here are the two switch configs:

 

SW1:

interface Vlan100
ip address 172.28.0.11 255.255.255.0
no ip mroute-cache
standby 1 ip 172.28.0.10
standby 1 priority 110
standby 1 preempt
standby 1 track 1 decrement 10
standby 2 ip 172.28.0.20
standby 2 priority 90
standby 2 preempt
standby 2 track 1 decrement 10
end


SW1#sh standby brief
P indicates configured to preempt.
Vl100 1 110 P Active local unknown 172.28.0.10
Vl100 2 90 P Active local unknown 172.28.0.20

SW1#sh standby vlan 100
Vlan100 - Group 1
State is Active
2 state changes, last state change 46w0d
Virtual IP address is 172.28.0.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.104 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 110 (configured 110)
Track object 1 state Up decrement 10
Group name is "hsrp-Vl100-1" (default)
Vlan100 - Group 2
State is Active
2 state changes, last state change 46w0d
Virtual IP address is 172.28.0.20
Active virtual MAC address is 0000.0c07.ac02
Local virtual MAC address is 0000.0c07.ac02 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.464 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 90 (configured 90)
Track object 1 state Up decrement 10
Group name is "hsrp-Vl100-2" (default)
SW1#

########
SW2:
interface Vlan100
ip address 172.28.0.21 255.255.255.0
standby 1 ip 172.28.0.10
standby 1 priority 90
standby 1 preempt
standby 1 track 1 decrement 10
standby 2 ip 172.28.0.20
standby 2 priority 110
standby 2 preempt
standby 2 track 1 decrement 10
end

Vl100 1 90 P Standby 172.28.0.11 local 172.28.0.10
Vl100 2 110 P Active local unknown 172.28.0.20

SW2#sh standby vlan 100
Vlan100 - Group 1
State is Standby
9 state changes, last state change 00:54:02
Virtual IP address is 172.28.0.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.328 secs
Preemption enabled
Active router is 172.28.0.11, priority 110 (expires in 7.840 sec)
Standby router is local
Priority 90 (configured 90)
Track object 1 state Up decrement 10
Group name is "hsrp-Vl100-1" (default)
Vlan100 - Group 2
State is Active
9 state changes, last state change 00:54:24
Virtual IP address is 172.28.0.20
Active virtual MAC address is 0000.0c07.ac02
Local virtual MAC address is 0000.0c07.ac02 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.656 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 110 (configured 110)
Track object 1 state Up decrement 10
Group name is "hsrp-Vl100-2" (default)
SW2#

 

 

 

 

 

23 Replies 23

please can you config the HSRP bia or virtual mac address "manually" instead of use default v1.

check this.

Well I got it but this is the problem, it is working in an other network pretty fine, also if you check even Cisco implements this:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipapp_fhrp/configuration/xe-3s/fhp-xe-3s-book/fhp-hsrp-mgo.pdf

Also this setup was the same that worked 10+ years fine with 3550 pair in production.

 

Maybe I got you wrong, please explain the difference multi and dual group, because it sounds the same to me.
All the configs that I saw either had one standby or two, just like the Cisco example that I sent.

 

So what do you mean by this: "multi group each for each L3 interface" ?

 

Also I'm thinking maybe the 3750x reached the limit of the maximum HSRP but it is around 25 I think and this setup has 20.

 

Thanks in advance!

 

balaji.bandi
Hall of Fame
Hall of Fame

The example document was provided with Physical Interface not for VLAN. as per my knowledge there is a limitation on VLAN using the same subnet.

 

Do you mean to say VLAN with the same IP subnet was working last many years?

 

Can you able to ping from the same switch locally secondary IP address of HSRP, and can you able to see the arp table for that IP?

 

in your case :

172.28.0.20

 

i am more interested to see also Logs. as per your output unknown

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

I see I have missed that this was for Physical iface.

 

Yes and those are also VLANs and they work fine in a smaller config where only 3 x 2 pair sit together, all fine. (same 3750x boxes)

 

The ping works for the physical interface fine and there obviously it shows the appropriate MAC address, but the HSRP IPs are showing the local IP address instead of the other node's IP. 

 

Basically the first node can't see the second node.

Second node can see the first node first IP, not the second block.

 

Oh also I forgot to mention that when I was debigging the HSRP packets the first node was sending out packets, noting was coming in and the second node was sending and receiving the packets.

 

First node: HSRP: Vl100 Grp 1 Hello out 172.28.0.11 Active pri 110 vIP 172.28.0.10

 

Second node: HSRP: Vl100 Grp 1 Hello in 172.28.0.11 Active pri 110 vIP 172.28.0.10

HSRP: Vl100 Grp 2 Hello out 172.28.0.21 Active pri 110 vIP 172.28.0.20

 

I started ripping of the secondary IPs, let's see if it helps to become alive.

If not then I will cut off the HSRP IPs as well, but I do need a VIP block for at least 8-9 VLAN-s.

Thanks for your help, appreciated!

please can you config the HSRP bia or virtual mac address "manually" instead of use default v1.

check this.

 

How do you mean "manually" config?

 

Also I started cutting of the second IP from the config and still the same result they can't see each other.
Looks like a VLAN issue between the boxes, but even when they were connected they behaved the same.

 

 

standby "group number" mac-address 

###

W1(config-if)#standby 1 ?
authentication 
follow
ip 
name
preempt
priority
timers
track

SW1(config-if)#

 

No options here for mac address.

I suggest changing version 1 to version 2 in HSRP

 

changing MAC address refer below document :

 

https://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/10583-62.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Okay got you.

 

I wanted to do this but "luckely" the system is in production now, and no idea when the config went wrong.

The trouble is no way to run V1 and V2 in the same time.

But I will try it anyway, when theres is no much load on the weekend.

 

So I guess I need to swap to fix IPs, all VLANs and then reconfigure the HSRP and redo the HSRP setup again.

This is horrible loads of work on both nodes, not happy at all because this worked when it was few VLANs but somewhere went off the track. 

 

Anyway I will get back to the forum and update you guys when I got it working!

Thanks for the ideas, appreciated a lot!

##

The example document was provided with Physical Interface not for VLAN. as per my knowledge there is a limitation on VLAN using the same subnet.

##

 

I checked my CCNP Switch portable guide and there is the solution for load balance and also at the O'really IOS Cookbook book where this exact implementation showed as an exmple.

 

Two standby IP used on a VLAN and the load-balance works as on the subnet half machine use the first group second half use the second group.

Something is wrong with either with the VTI interface or with the IOS itself.

 

I have attached the VLAN solution where two groups configured as mine and this is a Cisco book by Cisco.

So if we cannot trust in this example than what is the solution?

Also this exact config works fine with only 3 VLANS I assume the issue lies at the IOS.

 

So I believe something generaly is wrong with this two boxes communications.

I have deleted the first node main IP and then the second node took over and started working without any problems.
Only noticable thing was one ping time ms went up when was taking over, but no dropped packets at all.

 

Here are the first node before and after standby brief:

 

Vl100 1 110 P Active local unknown 172.28.0.10

 

Second node:

 

Vl100 1 90 P Standby 172.28.0.11 local 172.28.0.10

Vl100 1 90 P Active local unknown 172.28.0.10

 

Clearly they can see each other but the standby status is not showing this at all.

 

So with restored standby IP config.

Node 1 active:

 

SW1#sh standby vlan 100
Vlan100 - Group 1
State is Active
5 state changes, last state change 00:03:03
Virtual IP address is 172.28.0.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.632 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 110 (configured 110)
Track object 1 state Up decrement 10
Group name is "hsrp-Vl100-1" (default)
SW1#

 

SW2#sh standby vlan 100
Vlan100 - Group 1
State is Standby
12 state changes, last state change 00:02:36
Virtual IP address is 172.28.0.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.192 secs
Preemption enabled
Active router is 172.28.0.11, priority 110 (expires in 10.752 sec)
Standby router is local
Priority 90 (configured 90)
Track object 1 state Up decrement 10
Group name is "hsrp-Vl100-1" (default)
SW2#

 

And then when Node 1 standby IP deleted:

 

SW1#sh standby vlan 100

SW1#

 

SW2#sh standby vlan 100
Vlan100 - Group 1
State is Active
13 state changes, last state change 00:00:27
Virtual IP address is 172.28.0.10
Active virtual MAC address is 0000.0c07.ac01
Local virtual MAC address is 0000.0c07.ac01 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 1.056 secs
Preemption enabled
Active router is local
Standby router is unknown
Priority 90 (configured 90)
Track object 1 state Up decrement 10
Group name is "hsrp-Vl100-1" (default)
SW2#

 

Thanks very much guys for all your helps!

Hello


@7layer wrote:

Those VLAN's where ACL applied the policy has been added for HSRP to work: (permit ip any host 224.0.0.2) 


Amend your access-list to include the following and test again:
access-list xx permit udp any any eq 1985


Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Thanks for this idea.

I have added to all ACL-d VLAN this but didn't help.

Still the same they cannot see properly each other.

Cheers,

Laz

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: