• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1218
  • Last Modified:

Backup router constantly changing VRRP state when primary router is online

I am working out a configuration for two Cisco routers so that one router is the master router for three subnets, and the second router is a backup for those subnets.  My problem is that the backup router VRRP state changes constantly when the primary router is VRRP master.

The primary router is a Cisco 1751 with the following relevant config:

track 1 ip route 0.0.0.0 0.0.0.0 reachability
interface FastEthernet0/0.1
 description NativeVLAN
 encapsulation dot1Q 1 native
 ip address 192.168.0.2 255.255.255.0
 vrrp 1 ip 192.168.0.1
 vrrp 1 preempt delay minimum 120
 vrrp 1 priority 105
 vrrp 1 authentication md5 key-string 7 BLAH-ITMATCHESONBOTH-BLAH
 vrrp 1 track 1

The backup router is a Cisco 871 with the following relevant config:

interface FastEthernet4.1
 encapsulation dot1Q 1 native
 ip address 192.168.0.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 no snmp trap link-status
 vrrp 1 ip 192.168.0.1
 vrrp 1 authentication md5 key-string 7 BLAH-ITMATCHESONBOTH-BLAH

I am forcing the priority on the 1751 router to change by manually adding and removing a default route.  This is correctly causing the priority to change from 105 to 95 (and back).  When the 1751 router has a priority of 95, it goes to the backup state and the 871 goes to the master state.  Everything works as expected during this time.

However, when the 1751 priority changes to 105, the 871 state is constantly changing between master and backup for all three segments.  I only included the config for a single vLAN because I would imaging fixing one would allow me to fix all three.  If all vLANs are somehow causing the problem, then I'll include the entire config if necessary.

The constant state changing appears to be due to the 871 not seeing the advertisement every second (it changes state after 3.6secs), but shortly after changing the state it sees the advertisement so it drops back to backup status.  It's almost like it cannot communicate on the network when it is in the backup status.

For this exercise both routers are connected to an HP switch that is configured for all three vLANs.  The default vLAN (1) is untagged on all ports, and the other two vLANs are tagged for both ports the routers are plugged into.
0
PHFrench
Asked:
PHFrench
  • 3
  • 3
1 Solution
 
Nothing_ChangedCommented:
just for testing, I'd kick the delay minimum either down to 10 or 20, or just delete it. For production, I like a delay as you've configured.

and to cover the obvious, check that  each of the subnets are in separate vlans, and can't see each other's broadcasts, and have unique MACs and IPs and non overlapping masks, and that there are no spanning tree issues. Also, check for duplex mismatches since lost frames could account for your issue as well.
0
 
PHFrenchAuthor Commented:
I removed the delay minimum, but it didn't seem to change anything.

The subnets should be in separate vLANs, but I am including the configs of both routers so you can see if i screwed up something.  The dynamic routing and tunnels are not being used at this time as the three devices are currently isolated (two routers and a switch).

I verified MACs were unique, and spanning-tree is not in use on the switch.  Each device has a single connection to the switch.

I also verified that both router interfaces were reporting 10/100 Full which matched what the switch was reporting for those two ports.

Thanks for your help.
** Router 1 **
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TST_R1
!
boot-start-marker
boot-end-marker
!
enable secret 5 YOUNOTAKESECRET
!
no aaa new-model
memory-size iomem 15
mmi polling-interval 60
no mmi auto-configure
no mmi pvc
mmi snmp-timeout 180
!
ip cef
!
username admin privilege 15 password 7 YOUNOTAKEPW
!
track 1 ip route 0.0.0.0 0.0.0.0 reachability
!
interface FastEthernet0/0
 no ip address
 speed auto
!
interface FastEthernet0/0.1
 description NativeVLAN
 encapsulation dot1Q 1 native
 ip address 192.168.0.2 255.255.255.0
 vrrp 1 ip 192.168.0.1
 vrrp 1 preempt delay minimum 120
 vrrp 1 priority 105
 vrrp 1 authentication md5 key-string 7 YOUNOTAKEKEYSTRING
 vrrp 1 track 1
!
interface FastEthernet0/0.10
 description printersWiFi
 encapsulation dot1Q 10
 ip address 192.168.10.2 255.255.255.0
 vrrp 10 ip 192.168.10.1
 vrrp 10 preempt delay minimum 120
 vrrp 10 priority 105
 vrrp 10 authentication md5 key-string 7 YOUNOTAKEKEYSTRING
 vrrp 10 track 1
!
interface FastEthernet0/0.20
 description MFAINC
 encapsulation dot1Q 20
 ip address 192.168.20.2 255.255.255.0
 vrrp 20 ip 192.168.20.1
 vrrp 20 preempt delay minimum 120
 vrrp 20 priority 105
 vrrp 20 authentication md5 key-string 7 YOUNOTAKEKEYSTRING
 vrrp 20 track 1
!
interface Serial1/0
 ip address 192.168.100.2 255.255.255.252
!
ip route 0.0.0.0 0.0.0.0 FastEthernet0/0.1
no ip http server
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
end
 
 
** Router 2 **
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname TST_R2
!
boot-start-marker
boot-end-marker
!
logging buffered 51200 warnings
enable secret 5 YOUNOTAKESECRET
!
no aaa new-model
!
resource policy
!
ip subnet-zero
ip cef
!
no ip domain lookup
ip domain name mfadomain.mfa.net
ip name-server DADNSSERVER1
ip name-server DADNSSERVER2
!
!
crypto pki trustpoint TP-self-signed-67365310
 enrollment selfsigned
 subject-name cn=IOS-Self-Signed-Certificate-67365310
 revocation-check none
 rsakeypair TP-self-signed-67365310
!
!
crypto pki certificate chain TP-self-signed-67365310
 certificate self-signed 01
  3082024C 308201B5 A0030201 02020101 300D0609 2A864886 F70D0101 04050030 
  quit
username admin privilege 15 password 7 YOUNOTAKEPW
!
crypto isakmp policy 1
 authentication pre-share
crypto isakmp key YOUNOTAKEKEY address 0.0.0.0 0.0.0.0
!
crypto ipsec transform-set 3DES esp-3des esp-sha-hmac 
 mode transport
!
crypto ipsec profile DMVPN
 set transform-set 3DES 
!
!
!
!
interface Tunnel1
 bandwidth 10
 ip address 192.168.254.40 255.255.255.0
 ip mtu 1400
 ip nhrp authentication YOUNOTAKEKEY
 ip nhrp map 192.168.254.2 InternetIP1
 ip nhrp map multicast InternetIP1
 ip nhrp network-id 254
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.254.2
 ip nhrp cache non-authoritative
 ip tcp adjust-mss 1360
 tunnel source Vlan1
 tunnel destination InternetIP1
 tunnel key 254
 tunnel protection ipsec profile DMVPN
!
interface Tunnel0
 bandwidth 1000
 ip address 192.168.255.40 255.255.255.0
 ip mtu 1400
 ip nhrp authentication YOUNOTAKEKEY
 ip nhrp map 192.168.255.2 InternetIP2
 ip nhrp map multicast InternetIP2
 ip nhrp network-id 255
 ip nhrp holdtime 300
 ip nhrp nhs 192.168.255.2
 ip nhrp cache non-authoritative
 ip tcp adjust-mss 1360
 tunnel source Vlan1
 tunnel destination InternetIP2
 tunnel key 255
 tunnel protection ipsec profile DMVPN
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet4.1
 encapsulation dot1Q 1 native
 ip address 192.168.0.3 255.255.255.0
 ip nat inside
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 no snmp trap link-status
 vrrp 1 ip 192.168.0.1
 vrrp 1 authentication md5 key-string 7 YOUNOTAKEKEYSTRING
 no cdp enable
!
interface FastEthernet4.10
 encapsulation dot1Q 10
 ip address 192.168.10.3 255.255.255.0
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 no snmp trap link-status
 vrrp 10 ip 192.168.10.1
 vrrp 10 authentication md5 key-string 7 YOUNOTAKEKEYSTRING
 no cdp enable
!
interface FastEthernet4.20
 encapsulation dot1Q 20
 ip address 192.168.20.3 255.255.255.0
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 no snmp trap link-status
 vrrp 20 ip 192.168.20.1
 vrrp 20 authentication md5 key-string 7 YOUNOTAKEKEYSTRING
 no cdp enable
!
interface Vlan1
 description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
 ip address dhcp
 ip access-group 100 in
 ip access-group 101 out
 ip virtual-reassembly
!
router eigrp 100
 passive-interface default
 no passive-interface Tunnel1
 no passive-interface Tunnel0
 network 192.168.0.0 0.0.0.255
 network 192.168.10.0 0.0.0.255
 network 192.168.20.0 0.0.0.255
 auto-summary
!
no ip classless
no ip forward-protocol udp tftp
no ip forward-protocol udp domain
no ip forward-protocol udp netbios-ns
no ip forward-protocol udp netbios-dgm
no ip forward-protocol udp tacacs
ip route 0.0.0.0 0.0.0.0 InternetGWIP
ip route 192.168.0.0 255.255.255.0 Tunnel0 4
ip route 192.168.10.0 255.255.255.0 Tunnel0 4
ip route 192.168.20.0 255.255.255.0 Tunnel0 4
!
ip http server
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
!
access-list 100 permit ip host InternetIP1 any
access-list 100 permit ip 68.10.16.0 0.0.0.255 any
access-list 100 permit ip host InternetIP2 any
access-list 100 deny   ip any any
access-list 101 permit ip any host InternetIP1
access-list 101 permit ip any host InternetIP2
access-list 101 permit ip any 192.168.0.0 0.0.255.255
access-list 101 deny   ip any any
snmp-server community public RO
no cdp run
!
control-plane
!
line con 0
line aux 0
line vty 0 4
!
scheduler max-task-time 5000
end

Open in new window

0
 
Nothing_ChangedCommented:
Those look clean, I assume the switch is dot1q enabled as well, and that VLANs 1, 10, and 20 are in the trunk ports the routers are plugged into, and VLAN 1 is native on the switch as well? One suggestion I'd make is that if you think mss is an issue (you clamp it in the config on router two), for testing I would push that down to like 1272 as well, to eliminate any possibility of segment size problems (that's admittedly not likely to be an issue).

If all that looks OK, the next step I'd use is to slap a Sniffer or wireshark in the switch, and span one of the router ports to it, i'd start with the one who will be re-taking master. If you don't have a Network General or Netscout Sniffer card, you will probably not be able to see 802.1Q tags with your NIC, so you may want to span a virtual port to the Sniffer instead of the physical router port, and troubleshoot one VLAN at a time. And you're probably right, whatever is doing one will do them all. If you want to file attach a small capture, I'll have a look at that too.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
PHFrenchAuthor Commented:
The switch is an HP ProCurve 2650 that supports vLANs.  vLAN1 is native, and both router ports are tagged for the other two vLANs (10 and 20).

I'll put a sniffer on the connection and capture the VRRP communications.  If I can't see vLAN tagging, then I'll do what you suggest and capture one at a time.  If I can't make heads or tails of it, I'll attach the captures so you can take a look.  I really appreciate all of your thoughts and help on this.

Shortly after my initial post I came down with a bug that's going around here, so I'll try to get to this tomorrow when my head will be operating above 35% efficiency.
0
 
Nothing_ChangedCommented:
ugh, sorry bout the sick, im the same way I can't think when im sick.

Ive used the procurve, I think the thing was that hte native VLAN and the other VLANs all had to be explicitly defined in the trunk if I recall, but it's been forever...
0
 
PHFrenchAuthor Commented:
I apologize for the delay on responding back, but I did find out what the problem was just this week.  I've been out traveling for over a month so when I finally got back, my test environment for this had been decommissioned as equipment was needed for various production needs.  So I built a new environment to replicate the problem, and I found I was unable to.  The difference in the two environments was the first had an 871 router and the second did not.  Ultimately, I found the IOS version on the 871 was causing the problem as once it was upgraded to the absolute latest, the VRRP problem went away.

Gotta love IOS bugs.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Office 2010

This course will introduce you to the interfaces and features of Microsoft Office 2010 Word, Excel, PowerPoint, Outlook, and Access. You will learn about the features that are shared between all products in the Office suite, as well as the new features that are product specific.

  • 3
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now