cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3367
Views
0
Helpful
15
Replies

HSRP miscommunication -> both active on a vlan

SelamsewAmha
Level 1
Level 1

Hello Pals,

I have two 4506 switches connecting via L2 etherChannel and various SVIs. Everything is fine but 2 out of the 32 SVIs configured do not communicate using HSRP. Both claim they are active. All the VLANs are allowed on the EtherChannel trunk. all the configurations are alike with the rest of the SVI configs. I have posted the SVI conigs of two VLANs (one working the other not) from both switches as below.

interface Vlan13
 ip address 10.0.13.3 255.255.255.0
 no ip redirects
 standby 226 ip 10.0.13.1
 standby 226 timers 5 15
 standby 226 authentication HSRP@XXX

interface Vlan14
 ip address 10.0.14.3 255.255.255.0
 no ip redirects
 standby 226 ip 10.0.14.1
 standby 226 timers 5 15
 standby 226 authentication HSRP@XXX

 

and on the 2nd switch i have
 

interface Vlan13
 ip address 10.0.13.2 255.255.255.0
 no ip redirects
 standby 226 ip 10.0.13.1
 standby 226 timers 5 15
 standby 226 priority 110
 standby 226 authentication HSRP@XXX

interface Vlan14
 ip address 10.0.14.2 255.255.255.0
 no ip redirects
 standby 14 ip 10.0.14.1
 standby 14 timers 5 15
 standby 14 priority 110
 standby 14 authentication HSRP@XXX

 

is there anything I miss here? I have checked almost everything in my perception. 

 

15 Replies 15

Mark Malone
VIP Alumni
VIP Alumni

Its good to have preempt enabled on both sides but thats not your problem

Whats the show standby for each side show can they see the standby router ?

have you ran a debug standby to see whats happening when and if they speak to each other at all

Hi Mark,

thanks for responding.

the show standby command labels 'unknown' about the standby in both of the switches.

  Active router is local
  Standby router is unknown

the debug standby command output only shows:

%IP-4-DUPADDR: Duplicate address 10.0.140.1 on Vlan14, sourced by xxxx.xxxx.xxxx on both the switches

 

 

 

Thats why there both active as they cannot see each other to negotiate hsrp so they both become active

The duplicate ip address is a separate issue thats not related to hsrp issue currently

There is an underlying issue here , can you ping the ip address of the far vlan

ping 10.0.13.3 source vlan 13

Have you checked the trunk connection in the etherchannel are you allowing the vlans across it as if hsrp is working for other vlans then its not a physical issue somethings been missed

do show int trunk check you etherchannel PO make sure the vlans are allowed each side

the ping fails,

the etherchannel configuration is perfect.

the show interfaces trunk shows all VLANs are allowed as below;

 

interface Port-channel1
 description Connection-to-Dis02
 switchport
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate

the member ports have config:

interface GigabitEthernet5/5
 description Connection-to-SWHQDis02
 switchport trunk encapsulation dot1q
 switchport mode trunk
 switchport nonegotiate
 speed 1000
 duplex full
 channel-group 1 mode on

the show interfaces trunk command shows:

Po1         1-2,8-29,31,150

 

any other thing i missed?

 

if there directly 4506-4506 connected the only other thing i could think of is an acl is blocking 224.0.0.2 which hsrp uses to communicate but if you were blocking that none of them would work unless blocked for the specific subnet, somethings not allowing the hello packets through which allow the hsrp communication between 2 switches

can you post the config on each switch and does the show int trunk show the vlan not being pruned and its allowed in mgmt domain and what doe sthe spanning tree show for the po1 does it have your vlans in fwd state

actually sorry looking back at your earlier duplicate post didnt realise that was source on vlan 14

From

http://www.cisco.com/c/en/us/support/docs/ip/hot-standby-router-protocol-hsrp/10583-62.html

These messages specifically indicate that the router received a data packet that was sourced from the HSRP IP address on VLAN 14 with the MAC addresses x.x.x Since the HSRP MAC address is x.x.x, either the router in question received its own packet back or both routers in the HSRP group went into the active state. Because the router received its own packet, the problem most likely is with the network rather than the router. A variety of problems can cause this behavior. Among the possible network problems that cause the error messages are:

  • Momentary STP loops

  • EtherChannel configuration issues

  • Duplicated frames

Madhukrishnan

i did the mac move command and still there is no log i can see but the duplicate address message.

@ Hitesh 

the show span vlan command result is as below for both switches:

VLAN0014
  Spanning tree enabled protocol rstp
  Root ID    Priority    4110
             Address     0015.62b4.7640
             Cost        3
             Port        1281 (Port-channel1)
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    8206   (priority 8192 sys-id-ext 14)
             Address     c47d.4f73.9c80
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time  300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi2/1               Desg FWD 4         128.129  P2p
Gi2/3               Desg FWD 4         128.131  P2p
Gi3/5               Desg FWD 4         128.261  P2p Peer(STP)
..

Gi3/22              Desg FWD 19        128.278  P2p
Gi3/24              Desg FWD 4         128.280  P2p
Po1                 Root FWD 3         128.1281 P2p

and for the root:

SWDIS01#sh span vlan 14

VLAN0014
  Spanning tree enabled protocol rstp
  Root ID    Priority    4110
             Address     0015.62b4.7640
             This bridge is the root
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec

  Bridge ID  Priority    4110   (priority 4096 sys-id-ext 14)
             Address     0015.62b4.7640
             Hello Time   2 sec  Max Age 20 sec  Forward Delay 15 sec
             Aging Time 300

Interface        Role Sts Cost      Prio.Nbr Type
---------------- ---- --- --------- -------- --------------------------------
Gi2/2            Desg FWD 4         128.66   P2p
.

.
Gi5/45           Desg FWD 4         128.301  P2p Peer(STP)
Gi5/47           Desg FWD 4         128.303  P2p Peer(STP)
Po1              Desg FWD 3         128.641  P2p

Are you getting the same duplicate message each time in logs or is it showing you a different mac or ip ?

Please share the complete logs.

Madhu

You intially said

 

%IP-4-DUPADDR: Duplicate address 10.0.140.1 on Vlan14, sourced by xxxx.xxxx.xxxx on both the switches

Can you verify its 10.0.140.1 or 10.0.14.1 ?

Also what is the mac?  is it hsrp virtual mac?

Madhu

Can you remove authentication from the group for time being and see if that helps.

 

Thanks

Hitesh

other possible reason, i can think of is that standby group 14 is used on some other vlan or 140.x is configured as secondary IP on the vlan.

if you think that the configuration is ok on both the switches then you should be looking at other devices for possible misconfig for sending HSRP messages.

HTH

Hitesh

Can you turn on mac address move notification to see if there is any L2 loops.

 

conf t

mac address table notification mac-move

 

Then check logs to see if any mac move is happening. Looks like there is a possible loop in this vlan.

 

Thanks,

Madhu.

 

*** Please Rate useful posts***

Hi,

Shouldn't the hsrp group for vlan 14 be the same on both ends ?

The same hsrp group could be used for multiple vlans, but this may cause mac address conflicts.

Regards,

Surya

This is the correct answer.  The group numbers have to match on both devices.  On switch 1 you are using group 226, but on switch 2 you are using group 14.

This is also why you are seeing a duplicate IP address error.  The VIP appears to belong to two different devices because they are in two different HSRP groups.  Change switch 1 to group 14 and the problem should disappear.

Review Cisco Networking for a $25 gift card