HSRP md5 auth with secondary ip-addresses not working

Hey guys!

Got a strange thing here concerning HSRP auth.

 

When I do this (both interfaces are connected in a vlan):

R2:
interface FastEthernet1/0
ip address 172.16.0.2 255.255.255.0
duplex auto
speed auto
standby 10 ip 172.16.0.1
standby 10 priority 200
standby 10 preempt
standby 10 authentication md5 key-string test

R3:
interface FastEthernet1/0
ip address 172.16.0.3 255.255.255.0
duplex auto
speed auto
standby 10 ip 172.16.0.1
standby 10 priority 150
standby 10 preempt
standby 10 authentication md5 key-string test

That config works fine!

 

When I add the following to the config of each interface to activate a second group...

R2:
ip address 172.16.20.2 255.255.255.0 secondary
standby 20 ip 172.16.20.1
standby 20 priority 150
standby 20 preempt
standby 20 authentication md5 key-string 1234

 

R3: 
ip address 172.16.20.3 255.255.255.0 secondary
standby 20 ip 172.16.20.1
standby 20 priority 200
standby 20 preempt
standby 20 authentication md5 key-string 1234

 

I get a error message for group 20,. Checked the passwords, does not work. Anyone got an idea? (Its dynamips by the way).

*Feb 17 12:09:26.543: %HSRP-4-BADAUTH: Bad authentication from 172.16.20.2, group 20, remote state Active
r3#
*Feb 17 12:09:56.903: %HSRP-4-BADAUTH: Bad authentication from 172.16.20.2, group 20, remote state Active
r3#
*Feb 17 12:10:26.999: %HSRP-4-BADAUTH: Bad authentication from 172.16.20.2, group 20, remote state Active
r3#

TIA!

Regards!

Markus

Comments

  • Markus,

    Which IOS version are you using? I just tried your scenario (with the exact same config) and it worked here:

     

    R1(config-if)#do sh run int f0/0


    Building configuration...


    Current configuration : 380 bytes

    !

    interface FastEthernet0/0

     ip address 172.16.20.2 255.255.255.0 secondary

     ip address 172.16.0.2 255.255.255.0

     duplex auto

     speed auto

     standby 10 ip 172.16.0.1

     standby 10 priority 200

     standby 10 preempt

     standby 10 authentication md5 key-string test

     standby 20 ip 172.16.20.1

     standby 20 priority 150

     standby 20 preempt

     standby 20 authentication md5 key-string 1234

    end



    R1(config-if)#do sh run int f0/0

    Building configuration...

    Current configuration : 380 bytes

    !

    interface FastEthernet0/0

     ip address 172.16.20.3 255.255.255.0 secondary

     ip address 172.16.0.3 255.255.255.0

     duplex auto

     speed auto

     standby 10 ip 172.16.0.1

     standby 10 priority 150

     standby 10 preempt

     standby 10 authentication md5 key-string test

     standby 20 ip 172.16.20.1

     standby 20 priority 200

     standby 20 preempt

     standby 20 authentication md5 key-string 1234






    R1(config-if)#do sh stand br

                         P indicates configured to preempt.

                         |

    Interface   Grp  Pri P State   Active          Standby         Virtual IP

    Fa0/0       10   200 P Active  local           172.16.0.3      172.16.0.1

    Fa0/0       20   150 P Standby 172.16.0.3      local           172.16.20.1





    R2(config-if)#do sh stand br

                         P indicates configured to preempt.

                         |

    Interface   Grp  Pri P State   Active          Standby         Virtual IP

    Fa0/0       10   150 P Standby 172.16.0.2      local           172.16.0.1

    Fa0/0       20   200 P Active  local           172.16.0.2      172.16.20.1



    HTH

    Good luck!

     

     

  • Hi!

    Thanks for labbing this up.

    Got this one: (C7200-SPSERVICESK9-M), Version 12.4(24)T1

     

    Will check that eventually on the weekend!

    Regards!

  • Markus,

    You are welcome; I did a quick one on dynamips - (C3725-ADVENTERPRISEK9-M), Version 12.4(15)T5.

    The behavior is very weird, but let us know your findings..

    Cheers!

  • Hmm also strange effects with bgp md5 authentication here. Neighbor is up, routes are exchanged but I get the message

    %TCP-6-BADAUTH: No MD5 digest from 172.16.21.1(65499) to 172.16.32.2(179)

    Even when I deconfigure the authentication under the bgp process the message still comes up (neighbors are resetted).

    I will change the ios version.

     

    Regards!

    Markus.

  • Markus,

    The first issue with HSRP on secondary address is a bug:

     


    CSCta27331 Bug Details

    HSRP authentication applied to secondary addresses fails

    Symptoms: HSRP authentication applied to secondary addresses fails, generating

    the following syslog message: 

     

    %HSRP-4-BADAUTH: Bad authentication from 172.16.123.2, group 2, remote state

    Active

     

    Conditions: The symptom is observed with HSRP authentication applied to

    secondary addresses. (HSRP authentication applied to primary addresses are

    unaffected.) It is seen with Cisco IOS Release 12.4(24)T and 12.2(33)SXI.

     

    Workaround: Disable authentication on HSRP groups configured with secondary

    addresses.

  • Thanks VERY MUCH!!!

    Thats good for the brain that the own config isnt faulty!

    Didnt have the time to lookup in bug toolkit!

    The other one probably could be an issue of the version too as its also associated with md5.

    Regards!

    Markus.

  • Have to love when TAC/Support tells you that the workaround is to disable the feature itself, yeah no shit Sherlock :)

  • Markus, it's time to change IOS..go for 15.x if you labbing yourself for study...I did both HSRP MD5 authentication on secondary address and BGP MD5 authentication, no issue...

  • 12.4 is tested at the lab so I would not change to 15.x even though I don't anticipate any huge changes.

  • 12.4 is tested at the lab so I would not change to 15.x even though I don't anticipate any huge changes.

    Thats my opinion too. I dont even know if there is a version for the 3725 platform of 15.X ... dont think so.

     

    Regards!

  • I am using 12.4 train as well. 15.x has implications with licensing as well.

  • Thats my opinion too. I dont even know if there is a version for the 3725 platform of 15.X ... dont think so.

    15.x is not available for 3725 platform, I was recommending just for lab (to test all with GNS). If you want you can use 15.x on 72xx on your GNS box..

  • If you want you can use 15.x on 72xx on your GNS box..

    Very resource intensive even with idlepc values applied in my eyes.

    Just checked the issue this day. Used a different IOS and 3725s (12.4(15)T14). Works fine!

    Thanks for your investigations!

     

    Regards!

    Markus

Sign In or Register to comment.