|
Home > Archive > CCIE > March 2002 > IPsec HW
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
|
|
| amilcarlopes 2002-03-07, 5:00 am |
| Hi.
Do you have any knowledge about failures with STP and HSRP working together? | |
| MadChef 2002-03-07, 5:30 am |
| quote:
Originally posted by amilcarlopes
Do you have any knowledge about failures with STP and HSRP working together?
Yes. Do you have a more specific question, and what does this have to do with IPSec?
MadChef | |
| amilcarlopes 2002-03-08, 3:50 am |
| I forgot to change the thread subject, I'm sorry 
About HSRP and STP, I experienced some problems in my LAN and I suspect that they are related with the HSRP and STP timers. The HSRP groups began to "jump" from one router to the other and my LAN was down until I disconnect a certain uplink.
Do you have any knowledge in problems like this one? | |
| MadChef 2002-03-08, 6:25 am |
| quote:
Originally posted by amilcarlopes
I forgot to change the thread subject, I'm sorry
It was making me scratch my head....
In my opinion, this stuff gets very complicated very quickly. Now is the perfect time to make sure NTP is running, all devices in question are sync'd and that you're logging to a central place (preferably OFF the VLANs in question). Event correlation is key to isolating your problem. Turn console logging off of the devices in question and bump the logging up to debugging. Then start debugging hsrp and stp events to get an idea of just what is happening and when.
When you say the groups are jumping from one route to the other is it that the active is going to standby and the standby to active, or are they both trying to be active at the same time? I would imagine the former, but it never hurts to make sure.
My first guess is that this has less to do with timers and more to do with links failing and spanning tree reconverging. I'd look at your uplink port status to see if some of those links are going down. BPDUs have priority over trunk links, so I wouldn't expect saturation to cause the spanning tree to reconverge, unless there's something like a duplex mismatch which is causing lots o' frames to be dropped or sending a port to errdisable.
While timers might not be the root problem here, timers may provide a solution. Uplinkfast configured on a switch allows a switch to immediately bring an uplink port from blocked to fowarding when the root port goes down. This typically takes an outage down from 45-50 seconds to a couple of seconds. There's an excellent article on CCO about when and how to use Uplinkfast and Backbonefast and I urge you to give it a look.
Hopefully that gives you a couple of things to look at.
MadChef | |
| amilcarlopes 2002-03-08, 9:44 am |
| The groups were jumping from one router to the other from the active to standby and from the standby to active but I think that it was because both were trying to became active.
While the STP is converging, the HSRP routers are unable to exchange hello packets and became both active. When the STP converges, the routers receive hello packets and the advertisement of the virtual IP and MAC. Since both are the owners of those virtual IP and MAC, they start announcing "duplicate address"...
I think with portfast enable in the trunk between sw and router, I solved the problem. So far so good... |
|
|
|
|