HSRP Troubleshooting 1 Lab

This lab was taken from gns3vault.com. Click here to go to the lab page.

Goal

All IP addresses have been preconfigured for you.
Do not use show run! (this will spoil the fun :) use the appropiate 'show' and 'debug' commands.
Router NewYork, NewJersey and LA are configured for HSRP so router Host has a virtual gateway IP address.

Each HSRP router should be able to become the active router and forward IP packets from the host to the ISP.

Topology

c5hsrp1.png

Configuration

As I entered the CLI, the routers issued the following warnings:

LA>
*Mar  1 00:02:31.551: %IP-4-DUPADDR: Duplicate address 192.168.1.254 on FastEthernet0/0, sourced by 1234.5678.9abc
LA>
LA>
*Mar  1 00:02:40.543: %HSRP-4-BADAUTH: Bad authentication from 192.168.1.2, group 1, remote state Active

It appears that there is a failed authentication attempt between the routers and that there is a duplicate address in the network.

NewJersey>sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.2     YES NVRAM  up                    up
FastEthernet1/0            192.168.2.2     YES NVRAM  up                    up

LA>sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.3     YES NVRAM  up                    up
FastEthernet1/0            192.168.2.3     YES NVRAM  up                    up

NewYork>sh ip int br
Interface                  IP-Address      OK? Method Status                Protocol
FastEthernet0/0            192.168.1.1     YES NVRAM  up                    up
FastEthernet1/0            192.168.2.1     YES NVRAM  up                    up

None of the interfaces have a duplicate IP address and none of them have the 192.168.1.254 address configured. That address must come from another source, which in this case has to be HSRP.

NewYork>show standby
FastEthernet0/0 - Group 11
  State is Active
    2 state changes, last state change 00:05:22
  Virtual IP address is 192.168.1.254
  Active virtual MAC address is 1234.5678.9abc
    Local virtual MAC address is 1234.5678.9abc (confgd)
[...]

LA>show standby
FastEthernet0/0 - Group 1
  State is Active
    2 state changes, last state change 00:05:47
  Virtual IP address is 192.168.1.254
  Active virtual MAC address is 1234.5678.9bcd
    Local virtual MAC address is 1234.5678.9bcd (confgd)

NewJersey>show standby
FastEthernet0/0 - Group 1
  State is Active
    2 state changes, last state change 00:05:56
  Virtual IP address is 192.168.1.254
  Active virtual MAC address is 1234.5678.9abc
    Local virtual MAC address is 1234.5678.9abc (confgd)

This is what the 'show standby' command has to say. Here is the duplicate address. Why is it duplicate? Because it is part of two separate HSRP standby groups.

To fix this, we must put them all in the same HSRP group:

NewYork(config)#int f0/0
NewYork(config-if)#no standby 11
NewYork(config-if)#standby 1 ip 192.168.1.254

Good news on NewJersey. HSTP has changed states

NewJersey>
*Mar  1 00:01:05.115: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Speak -> Standby
*Mar  1 00:01:06.219: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 1 state Standby -> Active

Issuing another 'show standby' on each router reveals alot of useful information:

LA>show standby
FastEthernet0/0 - Group 1
  State is Active
    2 state changes, last state change 00:01:11
  Virtual IP address is 192.168.1.254
  Active virtual MAC address is 1234.5678.9bcd
    Local virtual MAC address is 1234.5678.9bcd (confgd)
  Hello time 7 sec, hold time 21 sec
    Next hello sent in 5.280 secs
  Preemption enabled
  Active router is local
  Standby router is 192.168.1.1, priority 100 (expires in 14.248 sec)

NewYork#show standby
FastEthernet0/0 - Group 1
  State is Standby
    1 state change, last state change 00:01:47
  Virtual IP address is 192.168.1.254
  Active virtual MAC address is 1234.5678.9bcd
    Local virtual MAC address is 0000.0c07.ac01 (v1 default)
  Hello time 7 sec, hold time 21 sec
    Next hello sent in 4.836 secs
  Preemption disabled
  Active router is 192.168.1.3, priority 190 (expires in 20.476 sec)

NewJersey>show standby
FastEthernet0/0 - Group 1
  State is Active
    2 state changes, last state change 00:02:28
  Virtual IP address is 192.168.1.254
  Active virtual MAC address is 1234.5678.9abc
    Local virtual MAC address is 1234.5678.9abc (confgd)
  Hello time 8 sec, hold time 22 sec
    Next hello sent in 3.140 secs
  Authentication text "vualt"
  Preemption disabled
  Active router is local
  Standby router is unknown

NewYork acknowledges LA as the active router and LA acknowledges NewYork as the standby router. This means that the problem is on NewJersey.
From the output, notice that NewJersey expects authentication, while the others do not. There are two options to fix this.

One, set up authentication on all of them, or remove authentication on NewJersey.

NewJersey(config)#int f0/0
NewJersey(config-if)#no standby 1 authentication

Notice also that the MAC addresses are different. NewYork has the default, automatically-generated MAC address, while the other routers have a configured MAC address.

Host will be able to ping ISP, but once the active router fails, Host will lose connectivity. The reason for this is that the virtual IP of the HSRP group is mapped in the ARP table as one of these MAC addresses. If the routers do not share the same MAC address, Host must wait for his ARP entry to time out and issue an ARP request to get the new MAC address. This defeats the purpose of HSRP.

I will start a ping from Host and disable the interface on the active router, which is LA at the moment. The ping will time out and connectivity will be lost.
To avoid waiting for 21 seconds I changed the timers to 2 and 6 using the 'standby 1 timers 2 6' command on the three interfaces.
I also noticed that the default gateway was improperly configured on Host. The default gateway was set to 192.168.11.254.

Host(config)#ip default-gateway 192.168.1.254

Host#ping 192.168.1.254 repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.2.254, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!.......
Success rate is 92 percent (87/94), round-trip min/avg/max = 12/31/52 ms

I have now removed the configured MAC addresses on the standby interfaces and turned on all interfaces.

NewYork(config-if)#no standby 1 mac-address
NewJersey(config-if)#no standby 1 mac-address
LA(config-if)#no standby 1 mac-address

The ping should not lose connectivity now.

Host#ping 192.168.1.254 repeat 1000

Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 192.168.1.254, timeout is 2 seconds:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!..!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!....!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 97 percent (301/309), round-trip min/avg/max = 12/20/52 ms

The first ping failure happened when I disabled the active router's interface. Only two pings have been lost while the standby router switched to active.
The second ping failure happened when I disabled the new active router's interface. This took longer because the last router had to transition from Listen to Standby to Active.
The last ping failed because I aborted the ping and it did not have time to receive the reply.

In order to ping the loopbacks on ISP, connectivity must be established between the gateways and ISP. The gateways are redundant and any problem that might appear is not from HSRP.

In this case, OSPF is enabled only on NewJersey and the other routers cannot reach the loopbacks on ISP. If you decide to enable OSPF to achieve full connectivity, note that some of the interfaces are set to passive on some of the routers.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License