Solved

%HSRP-4-DIFFVIP1

Posted on 2011-03-04
15
1,944 Views
Last Modified: 2012-05-11
Hi Experts,

I have a LAN network with 26 VLAN configured on Cisco switchs (6513). I have configured HSRP on the switches for redundancy.  Today I experienced this error %HSRP-4-DIFFVIP1 i n one of my vlans, which resulted to traffic between active and standby switch.

Quick search showed that this error is a result of virtual IP mismatch, which is not the case with my configs (see attached sample/below cfg).

What else could make this vlan flap between active and standby HSRP interfaces? The flapping vlan is 5.



switch01#
-------output omitted--------------------

interface Vlan1
 ip address 172.33.144.3 255.255.255.192
 standby 1 ip 172.33.144.1
!
interface Vlan2
 ip address 172.33.142.3 255.255.255.128
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.142.1
!
interface Vlan3
 ip address 172.33.142.131 255.255.255.128
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.142.129
!
interface Vlan4
 ip address 172.33.144.67 255.255.255.192
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.144.65
!
interface Vlan5
 ip address 172.33.136.3 255.255.254.0
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.136.1
!
interface Vlan6
  ip address 172.33.144.195 255.255.255.192
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.144.193
!



switch02#
-------output omitted--------------------

interface Vlan1
 ip address 172.33.144.2 255.255.255.192
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.144.1
 standby 1 priority 200
 standby 1 preempt
!
interface Vlan2
  ip address 172.33.142.2 255.255.255.128
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.142.1
 standby 1 priority 200
 standby 1 preempt
!
interface Vlan3
 ip address 172.33.142.130 255.255.255.128
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.142.129
 standby 1 priority 200
 standby 1 preempt
!
interface Vlan4
 ip address 172.33.144.66 255.255.255.192
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.144.65
 standby 1 priority 200
 standby 1 preempt
!
interface Vlan5
 ip address 172.33.136.2 255.255.254.0
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.136.1
 standby 1 priority 200
 standby 1 preempt
!

interface Vlan6
  ip address 172.33.144.194 255.255.255.192
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.144.193
 standby 1 priority 200

Open in new window

0
Comment
Question by:Seni
  • 4
  • 3
  • 2
  • +4
15 Comments
 
LVL 17

Expert Comment

by:MAG03
ID: 35039233
When they say virtual ip mis match i believe they mean the IP addresses configured on the standby. So that the IP for Standby 1 should be the same on all routers that are configured for HSRP
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 35039402
And this was working fine until recently?

If so, what was changed prior to this error message?
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 35040160
Hi,

Do you have any VLAN's which are leaking into one another, maybe on a temporary basis?

Example message:
*Mar  1 00:03:38.843: %HSRP-4-DIFFVIP1: FastEthernet0/0 Grp 1 active routers virtual IP address 192.168.1.3 is different to the locally configured address 192.168.0.3

What does the DIFFVIP1 error message tell you about the address that's in conflict.

(A temporary fix would be to change the hsrp group on VLAN 5.)
0
 
LVL 24

Accepted Solution

by:
rfc1180 earned 500 total points
ID: 35044847
>What else could make this vlan flap between active and standby HSRP interfaces? The flapping vlan is 5.

Explanation    The HSRP virtual IP address contained in the Hello message from the active router is different from the virtual IP address configured locally.

Recommended Action    Check the configuration on all HSRP routers in the group and ensure they are all configured with the same virtual IP address.

Easier said then done, huh

Well you are either running into a bug or a local attack from vlan5 or possibly an attack via vlan1 using a method called vlan hopping. First thing I would do is implement authentication for HSRP.

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t2/feature/guide/gthsrpau.html

You could also utilize Wireshark and SPAN vlan 5 to see what is going on from a packet perspective.

Billy

Well,
0
 
LVL 6

Expert Comment

by:alienXeno
ID: 35081360
Can you get output of "show standby" from both the siwtches ? The error that you get is definately about different VIP on the Switches but HSRP can flap because of the Interface within that VLAN flapping.
0
 
LVL 17

Expert Comment

by:MAG03
ID: 35081446
Here is your issue. you have the same standby group with different IP's. Standby 1 must have the same IP on all interfaces.  If that is not what you want you need to use a different group number for each vlan (standby 1, standby 2, standby 3...etc)

interface Vlan1
 ip address 172.33.144.3 255.255.255.192
 standby 1 ip 172.33.144.1!
interface Vlan2
 ip address 172.33.142.3 255.255.255.128
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.142.1!
interface Vlan3
 ip address 172.33.142.131 255.255.255.128
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.142.129!
interface Vlan4
 ip address 172.33.144.67 255.255.255.192
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.144.65!
interface Vlan5
 ip address 172.33.136.3 255.255.254.0
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.136.1!
interface Vlan6
  ip address 172.33.144.195 255.255.255.192
 ip helper-address 172.33.156.113
 standby 1 ip 172.33.144.193
0
 
LVL 17

Expert Comment

by:MAG03
ID: 35081451
change the standby group numbers and you should be fine.
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 50

Expert Comment

by:Don Johnston
ID: 35082169
Actually, using the same group number on different interfaces is allowed. And in some situations, it's required (I think early 6500's could only have 16 groups. So you had to reuse group numbers if you had more than 16 interfaces.)
0
 
LVL 17

Expert Comment

by:MAG03
ID: 35083880
Not so much talking about the group numbers, or the amount of same group numbers, as the group ip addresses. From my understanding all standby 1 groups should have the same virtual ip address.
0
 
LVL 50

Expert Comment

by:Don Johnston
ID: 35083982
No. The virtual IP address has to be consistent with the IP address of the interface. HSRP group numbers are significant only within the interface they are used on.
0
 
LVL 24

Expert Comment

by:rfc1180
ID: 35085676
I agree wih don, should not have to change groups.

Billy
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35086161
don is correct.... the standby number can't be seen across different VLANs, only interfaces within the same VLAN, so the numbers are correct as they are.  Different numbers are generally used for clarity.

I also agree with rfc, implement authentication on VLAN5 between the two routers as I think its probably another router trying to use the same standby group number on VLAN5.
0
 
LVL 45

Expert Comment

by:Craig Beck
ID: 35086498
Are you seeing this error for any other VLANs?  If you are this is just something else to check (as you are using the same group numbers for each VLAN I've seen this in the past)....

In the %HSRP-4-DIFFVIP1 message you may see the IP address of the 'rogue' router that is causing the issue.  If the IP address mentioned is the same as an IP address on one of your other VLANs you probably need to look at your STP config as there may be a loop.
0
 
LVL 17

Expert Comment

by:rochey2009
ID: 35110432
Hi,

Do you have any VLAN's which are leaking into one another.

What does the DIFFVIP1 error message tell you about the address that's in conflict.
0
 

Author Closing Comment

by:Seni
ID: 35243217
it was a bug in cisco ios
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Suggested Solutions

I see many questions here on Experts Exchange regarding switch port configurations and trunks. This article is meant for beginners in the subject to help to get basic knowledge about Virtual Local Area Network (VLAN (http://en.wikipedia.org/wiki/Vir…
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now