Cisco Community
English
Register
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Community Helping Community

946
Views
0
Helpful
5
Replies
Highlighted
o.breiler
o.breiler Beginner
Beginner
‎11-22-2012 05:26 AM
‎11-22-2012 05:26 AM

network unreachable via standby router, misconfigured standby groups?

This is our topology:

Zeichnung1.jpg

The two Nexus 7010 are our core switches. The two Catalyst 6509 "65-01" and "65-02" are our core routing devices. They provide the OSPF processes and standby groups for all our VLAN interfaces.

VLAN 2 is our internet vlan. The ASA failover cluster is connected via two Catalyst 3550 switches to VLAN 2. "ASA-2" is the primary and active device.

"65-02" is always the active member for all standby groups:

65-2#sho stand brief

                     P indicates configured to preempt.

                     |

Interface   Grp Prio P State    Active addr     Standby addr    Group addr

Vl1         1   110  P Active   local           192.168.114.51  192.168.114.50

Vl2         2   110  P Active   local           10.10.10.51       10.10.10.50

65-2#sho run int vlan 2

!

interface Vlan2

ip address 10.10.10.52 255.255.255.0

no ip redirects

standby 2 ip 10.10.10.50

standby 2 priority 110

standby 2 preempt

end

65-2#sho run int vlan 1

!

interface Vlan1

ip address 192.168.114.52 255.255.254.0

no ip redirects

standby 1 ip 192.168.114.50

standby 1 priority 110

standby 1 preempt

end

On both "65-1" and "65-2" a default route is set and pointing to ASA failover cluster inside address 10.10.10.200:

ip route 0.0.0.0 0.0.0.0 10.10.10.200

So, now the problem !!!

yesterday interface 1/1 on "65-02" went down due to a malfunctioning line card. The primary active "ASA-2" stayed active and didn't make a failover to secondary ASA, because all local interface were still connected. OK

The two standby groups 1 and 2 also probably stayed active on "65-02" and didn't switch over to "65-01". OK

www was unreachable for all clients in VLAN 1, but also for all other clients. NOT OK !!

After powering active ASA-2 off and ASA-1 becoming active, www was reachable again. ???

What could be the problem for it?

After fixing the line card issue and switching back to ASA-2 as active device we tested a little. So, usually the MAC address of standby ASA-1 ip 10.10.10.254 is learned on "65-02" via Po3. OK

After shutting down interface 1/1 on "65-01" manually the MAC was learned on "65-02" via interface 1/1, because the cross link between two "35-2" provides the mac to "65-02". OK

So that part works.

Could the way back (answer packets) from ASA to client in VLAN 1 be the problem? After a failure of int 1/1 on "65-02" all packets from ASA-2 to client arrive on "65-01", which is only standby member for VLAN interfaces?

We have no ideas and are not allowed to test it again the hard way and shut interface 1/1 on "65-02" again. :-(

Any ideas?

Labels:
0 Helpful
Reply
5 REPLIES 5
acampbell
acampbell Advocate
Advocate
‎11-22-2012 08:53 AM
‎11-22-2012 08:53 AM

Re: network unreachable via standby router, misconfigured standb

Oliver,

You saw an issue with int 1/1 on 65-02.
Did the coresponding int on 35-02 show that
it was down ?

If this in was still up it could be passing data to
65-02 int 1/1 as if nothing was wrong.

You could also try changing your HSRP for VLAN2 on 65-02

!

interface Vlan2

ip address 10.10.10.52 255.255.255.0
no ip redirects
standby 2 ip 10.10.10.50
standby 2 priority 110
standby 2 preempt
standby 2 track (int 1/1) 20
end

This will mean that the HSRP will hand off to 65-01 in the event
of 65-02 int 1/1 failing.

Regards, Alex. Please rate useful posts.
0 Helpful
Reply
o.breiler
o.breiler Beginner
Beginner
‎11-23-2012 02:58 AM
‎11-23-2012 02:58 AM

network unreachable via standby router, misconfigured standby gr

Hi,

thank you for your response.

yes, corresponding interface on 35-2 was down.

Yes, it's a good advise for a workaround to track the interface. We also thought about it. But we think, it is just a workaround, not a solution. In addition we have 10 standby groups and 65-02 is the active member for all of these groups. So we need to track the interface 1/1 within all standby groups. Does this makes sense?

In our topology there must be a way to use the usual standby group rerouting and reswitching mechanisms, must it not?

What we don't know is, what happens with packets (containing vlan1 and vlan2 addresses in source and destination) arriving on 65-01, if 65-01 is only the standby member for standby groups 1 and 2? What is its default behavior?

0 Helpful
Reply
Abzal
Abzal Rising star
Rising star
‎11-23-2012 03:56 AM
‎11-23-2012 03:56 AM

network unreachable via standby router, misconfigured standby gr

Hi Oliver,

yes, you need to track interface withtin all standby groups on active HSRP. Active HSRP should be also STP root bridge in this way standby HSRP trunk ports will be on ALT state unless root port goes down. So packets will flow toward active HSRP.

Hope it will help.

Hope it will help. Best regards, Abzal
0 Helpful
Reply
pille1234
pille1234 Participant
Participant
‎11-24-2012 01:56 PM
‎11-24-2012 01:56 PM

network unreachable via standby router, misconfigured standby gr

Hi,

you have an interesting problem there. Tracking the interfaces is a good practise because it improves your traffic flow, however your problem seems to go deeper Based on this

After powering active ASA-2 off and ASA-1 becoming active, www was reachable again. ???

I would check the interlink between 35-1 and 35-2. VLAN 2 should be allowed on this trunk (?) port on both sides. This way you can always reach the current active ASA-IP.

To your question 

What we don't know is, what happens with packets (containing vlan1 and  vlan2 addresses in source and destination) arriving on 65-01, if 65-01  is only the standby member for standby groups 1 and 2? What is its  default behavior?

The packets from the Internet destined for vlan 1 will be sent to the next hop address from the active ASA. In your case, the next hop is most probably the HSRP IP of vlan 2. Therefore the ASA arps for the HSRP virtual MAC address and (hopefully) gets an answer from 65-02. The packet is then sent out on the inside interface, goes through 35-1 to 65-01 and will be switched in a pure layer 2 style out to portchannel 2 until the 65-02 is reached where the routing to vlan 1 takes place.

Hope it helps.

Regards Pille

0 Helpful
Reply
Peter Koltl
Peter Koltl Contributor
Contributor
‎11-25-2012 02:21 PM
‎11-25-2012 02:21 PM

network unreachable via standby router, misconfigured standby gr

I would add the ASA's to the OSPF domain then you could forget HSRP and all tracking in VLAN2. Another important condition: there must be a VLAN apart from VLAN2 where 65-01 and 65-02 speak OSPF with each other (on a different physical interface).

0 Helpful
Reply
Latest Contents
Community Live slides - Getting to know Cisco SD-WAN
Created by ciscomoderator on 12-10-2019 06:56 PM
0
0
0
0
Community Live slides- Getting to know Cisco SD-WAN (Live event - formerly known as Webcast-  Wednesday December 11, 2019 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris) This event had place on Wednesday 11th, December 2019 at 10hrs PDT  This sessi... view more
Ask Me Anything event - Getting to know Cisco SD-WAN
Created by ciscomoderator on 12-10-2019 06:48 PM
0
0
0
0
To   participate   in this event, please use the   button   to ask your questions This topic is a chance to clarify your questions about the Cisco Software-Defined WAN (SD-WAN) solution, its historical roo... view more
Ask Me Anything event - Configuration, Verification, and Tro...
Created by ciscomoderator on 12-09-2019 03:03 PM
0
0
0
0
To   participate   in this event, please use the   button   to ask your questions This topic is a chance to clarify your questions about the configuration, verification, troubleshooting and gener... view more
Recent changes in SRIOV VF mapping in NFVIS GUI
Created by gosekar on 12-05-2019 06:59 PM
0
0
0
0
Starting from NFVIS 3.12 versions, the deploy option does not depict all the SR-IOV VFs(Virtual Functions) available in a physical interface. This change is introduced as (i) the number of VFs of ENCS platform on LANs side is increased to 24 and (ii) the... view more
Community Live- Getting to know Cisco SD-WAN
Created by ciscomoderator on 12-05-2019 12:41 PM
0
0
0
0
Community Live- Getting to know Cisco SD-WAN (Live event - formerly known as Webcast-  Wednesday December 11, 2019 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris) This event had place on Wednesday 11th, December 2019 at 10hrs PDT  This session prov... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad