HSRP and STP failed after adding route to inside network

Alexandr Matskevich · ‎08-15-2013

Salute, dear community!!

I have two 2921 routers running HSRP.

Here is configrurations of routers:

C2921UP (HSRP Active)

C2921UP#sh standby

GigabitEthernet0/2 - Group 0 (version 2)

State is Active

2 state changes, last state change 00:34:00

Track object 13 state Up

Virtual IP address is 192.168.12.100

Active virtual MAC address is 0000.0c9f.f000

Local virtual MAC address is 0000.0c9f.f000 (v2 default)

Hello time 1 sec, hold time 3 sec

Next hello sent in 0.640 secs

Preemption enabled

Active router is local

Standby router is 192.168.12.2, priority 95 (expires in 2.608 sec)

Priority 100 (default 100)

Group name is "HSRP_GROUP" (cfgd)

C2921UP#sh ip route

Gateway of last resort is X.X.X.1 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via X.X.X.1

S 192.168.10.0/24 [1/0] via 192.168.12.3

192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.11.0/24 is directly connected, GigabitEthernet0/0

L 192.168.11.31/32 is directly connected, GigabitEthernet0/0

192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.12.0/24 is directly connected, GigabitEthernet0/2

L 192.168.12.1/32 is directly connected, GigabitEthernet0/2

X.X.X.0/24 is variably subnetted, 2 subnets, 2 masks

C X.X.X.0/24 is directly connected, GigabitEthernet0/1

L X.X.X.83/32 is directly connected, GigabitEthernet0/1

C2921UP (HSRP Standby)

C2921DOWN#sh standby

GigabitEthernet0/2 - Group 0 (version 2)

State is Standby

4 state changes, last state change 00:26:57

Track object 13 state Up

Virtual IP address is 192.168.12.100

Active virtual MAC address is 0000.0c9f.f000

Local virtual MAC address is 0000.0c9f.f000 (v2 default)

Hello time 1 sec, hold time 3 sec

Next hello sent in 0.384 secs

Preemption disabled

Active router is 192.168.12.1, priority 100 (expires in 2.944 sec)

MAC address is b0fa.ebd2.1f42

Standby router is local

Priority 95 (configured 95)

Group name is "HSRP_GROUP" (cfgd)

C2921DOWN#sh ip route

Gateway of last resort is not set

{There is no route to the 192.168.10.0. I'll get to that later yet}

192.168.11.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.11.0/24 is directly connected, GigabitEthernet0/0

L 192.168.11.32/32 is directly connected, GigabitEthernet0/0

192.168.12.0/24 is variably subnetted, 2 subnets, 2 masks

C 192.168.12.0/24 is directly connected, GigabitEthernet0/2

L 192.168.12.2/32 is directly connected, GigabitEthernet0/2

And I have two ASA-5525-X running in Active/Standby failover mode. Here is confugration:

FWUP# sh running-config

: Saved

:

ASA Version 8.6(1)2

!

hostname FWUP

names

!

interface GigabitEthernet0/0

description To-Core-Stack-Gig1/0/4

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

description To-Core-Stack-Gig2/0/4

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/7

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.11.33 255.255.255.0 standby 192.168.11.34

management-only

!

interface Port-channel1

description To-Core-Stack

port-channel load-balance dst-ip

nameif inside

security-level 100

ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2

!

interface Port-channel1.9

shutdown

vlan 9

nameif Administrators

security-level 100

ip address 192.168.9.1 255.255.255.0 standby 192.168.9.2

!

interface Port-channel1.12

vlan 12

nameif outside

security-level 0

ip address 192.168.12.3 255.255.255.0 standby 192.168.12.4

!

interface Port-channel1.52

vlan 52

nameif DMZ

security-level 50

ip address 192.168.52.1 255.255.255.0 standby 192.168.52.2

!

ftp mode passive

dns server-group DefaultDNS

access-list OUT_IN extended permit ip any any

pager lines 24

logging asdm informational

failover

failover lan unit secondary

failover lan interface fo GigabitEthernet0/7

failover replication http

failover mac address Port-channel1 7cad.746f.65cc 7cad.746f.6608

failover mac address Management0/0 7cad.746f.65c7 7cad.746f.6603

failover link fo GigabitEthernet0/7

failover interface ip fo 10.254.254.253 255.255.255.252 standby 10.254.254.254

monitor-interface outside

monitor-interface DMZ

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group OUT_IN in interface inside

access-group OUT_IN in interface outside

route outside 0.0.0.0 0.0.0.0 192.168.12.100 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

!

: end

And one else configuration of stack of two switches cat3750-x:

hostname C3750-Core

!

boot-start-marker

boot-end-marker

!

no aaa new-model

switch 1 provision ws-c3750x-24

switch 2 provision ws-c3750x-24

system mtu routing 1500

!

no ip domain-lookup

!

spanning-tree mode pvst

spanning-tree extend system-id

spanning-tree vlan 1,9,12,52 priority 24576

!

vlan internal allocation policy ascending

!

ip ssh time-out 60

ip ssh authentication-retries 2

lldp run

!

interface Port-channel1

description To-FWUP

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Port-channel2

description To-FWDOWN

switchport trunk encapsulation dot1q

switchport mode trunk

!

interface Port-channel3

description To-C2960

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-11,13-4094

switchport mode trunk

!

interface Port-channel10

description To-FABRIC-A

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-11,13-4094

switchport mode trunk

!

interface Port-channel20

description To-FABRIC-B

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-11,13-4094

switchport mode trunk

!

interface FastEthernet0

description MANAGEMENT_L3_PORT

ip address 192.168.11.14 255.255.255.0

no ip route-cache cef

no ip route-cache

!

interface GigabitEthernet1/0/1

description C2921UP-Gig0/0

!

interface GigabitEthernet1/0/2

description C2921UP-Gig0/2

switchport access vlan 12

switchport trunk encapsulation dot1q

switchport mode access

!

interface GigabitEthernet1/0/3

description C2921UP-Gig0/1

!

interface GigabitEthernet1/0/4

description To-FWUP-Gig0/0

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode on

!

interface GigabitEthernet1/0/5

description To-FWDOWN-Gig0/0

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 2 mode on

!

interface GigabitEthernet1/0/6

description To-FWUP-Mngmnt

!

interface GigabitEthernet1/0/24

description To-C2960-Gig-1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-11,13-4094

switchport mode trunk

channel-group 3 mode on

!

interface TenGigabitEthernet1/1/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-11,13-4094

switchport mode trunk

!

interface TenGigabitEthernet1/1/2

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-11,13-4094

switchport mode trunk

!

interface GigabitEthernet2/0/1

description C2921DOWN-Gig0/0

!

interface GigabitEthernet2/0/2

description C2921DOWN-Gig0/2

switchport access vlan 12

switchport trunk encapsulation dot1q

switchport mode access

!

interface GigabitEthernet2/0/3

description C2921DOWN-Gig0/1

!

interface GigabitEthernet2/0/4

description To-FWUP-Gig0/1

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 1 mode on

!

interface GigabitEthernet2/0/5

description To-FWDOWN-Gig0/1

switchport trunk encapsulation dot1q

switchport mode trunk

channel-group 2 mode on

!

interface GigabitEthernet2/0/6

description To-FWDOWN-Mngmnt

!

interface GigabitEthernet2/0/24

description To-C2960-Gig-2

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-11,13-4094

switchport mode trunk

channel-group 3 mode on

!

interface TenGigabitEthernet2/1/1

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-11,13-4094

switchport mode trunk

!

interface TenGigabitEthernet2/1/2

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 1-11,13-4094

switchport mode trunk

!

interface Vlan1

ip address 192.168.10.3 255.255.255.0

!

interface Vlan9

ip address 192.168.9.3 255.255.255.0

!

interface Vlan12

ip address 192.168.12.200 255.255.255.0

!

interface Vlan52

ip address 192.168.52.3 255.255.255.0

ASA Active/standby cluster is working brilliant!

HSRP is working too.

I can ping HSRP Virtual IP 192.168.12.100 from outside interface of ASA-cluster. And I can ping

HSRP Virtual IP 192.168.12.100 from inside host (192.168.10.62). But! When I add static route on standby HSRP-router (C2921-DOWN) to 192.168.10.0 through 192.168.12.3.

C2921DOWN(config)#ip route 192.168.10.0 255.255.255.0 192.168.12.3

after few seconds my network goes down. It seems loop in the network. I do "show int gig1/0/2 or gig2/0/2 or any portchannel" in

C3750-Core and I see many million packets per second! When I delete this route from standbyHSRP-router network goes up.

Please. Where is the dog is buried?

Alexandr Matskevich · ‎08-16-2013

Problem was solved. Deploying "permit ip any any" on outside interface was too bad idea.