IPsec High Availability (stateful)
Today I would like to set up HA for VPN using a bit different scenario comparing to the one from previous post:
As you see there is only one link from branch router (r5) and in the HQ the routers have the external IP from the same subnet. I can implement HSRP there and I set up the tunnel between r5 and VIP (10.1.0.100). I removed also HRSP from HQ LAN and I add RRI (Reverse Route Injection). For better user experience I add ‘stateful’ option by enabling SSO (Stateful Switchover).
Instead of two peers in crypto map on r5 we need only one IP (VIP):
R5(config-crypto-map)#no set peer 10.1.0.3
R5(config-crypto-map)#no set peer 10.3.0.4
R5(config-crypto-map)#set peer 10.1.0.100
I don’t need DPD (Dead Peer Detection) in this scenario:
no crypto isakmp keepalive 10 periodic
I disable HSRP on inside interfaces of r3 and r4:
R3(config)#int fa0/0
R3(config-if)#no standby 1
R4(config)#int fa0/0
R4(config-if)#no standby 1
I have to enable HRSP on outside interfaces of r3 and r4 and then I add VIP (10.1.0.100):
R3#sh run int fa1/0
Building configuration...
Current configuration : 284 bytes
!
interface FastEthernet1/0
ip address 10.1.0.3 255.255.255.0
standby 10 ip 10.1.0.100
standby 10 priority 105
standby 10 preempt
standby 10 name VPN
standby 10 track 1 decrement 10
standby 10 track 2 decrement 10
speed auto
duplex auto
crypto map MAPA redundancy VPN
end
R3#
R3#sh standby
FastEthernet1/0 - Group 10
State is Active
5 state changes, last state change 00:02:38
Virtual IP address is 10.1.0.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.064 secs
Preemption enabled
Active router is local
Standby router is 10.1.0.4, priority 100 (expires in 11.072 sec)
Priority 105 (configured 105)
Track object 1 state Up decrement 10
Track object 2 state Up decrement 10
Group name is "VPN" (cfgd)
R3#
R4#sh run int fa0/1
Building configuration...
Current configuration : 259 bytes
!
interface FastEthernet0/1
ip address 10.1.0.4 255.255.255.0
standby 10 ip 10.1.0.100
standby 10 preempt
standby 10 name VPN
standby 10 track 3 decrement 10
standby 10 track 4 decrement 10
speed auto
duplex auto
crypto map MAPA redundancy VPN
end
R4#
R4#sh standby
FastEthernet0/1 - Group 10
State is Standby
4 state changes, last state change 00:02:45
Virtual IP address is 10.1.0.100
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 0.880 secs
Preemption enabled
Active router is 10.1.0.3, priority 105 (expires in 8.256 sec)
Standby router is local
Priority 100 (default 100)
Track object 3 state Up decrement 10
Track object 4 state Up decrement 10
Group name is "VPN" (cfgd)
R4#
In HQ’s LAN I enable OSPF and R2 will learn the route towards R6 from active VPN peer:
R3#sh run | s crypto map
crypto map MAPA 10 ipsec-isakmp
set peer 10.1.0.5
set transform-set TS
match address 101
reverse-route
crypto map MAPA redundancy VPN
R3#
and then the static route will be redistributed to r2:
R3#sh run | s router ospf
router ospf 1
redistribute static subnets
network 10.2.0.0 0.0.0.255 area 0
R3#
The same on r4:
R4#sh run | s crypto map
crypto map MAPA 10 ipsec-isakmp
set peer 10.1.0.5
set transform-set TS
match address 101
reverse-route
crypto map MAPA redundancy VPN
R4#
R4#sh run | s router ospf
router ospf 1
redistribute static subnets
network 10.2.0.0 0.0.0.255 area 0
R4#
Let’s test the default scenario (r5-r3 -> primary):
1) check the current routing table on r2:
r2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 1 subnets
C 10.2.0.0 is directly connected, FastEthernet1/0
r2#
2) send traffic from r6->r2:
R6#ping 10.2.0.2 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 97 percent (97/100), round-trip min/avg/max = 52/81/128 ms
R6
3) check VPN status on r3:
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.0.100 10.1.0.5 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
R3#sh crypto session d
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet1/0
Uptime: 00:00:23
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.1.0.5
Desc: (none)
IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
Capabilities:(none) connid:1004 lifetime:23:59:36
IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 99 drop 0 life (KB/Sec) 4164529/3576
Outbound: #pkts enc'ed 97 drop 0 life (KB/Sec) 4164529/3576
R3#
4) check VPN status on r5:
R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.0.100 10.1.0.5 QM_IDLE 1007 ACTIVE
IPv6 Crypto ISAKMP SA
R5#sh crypto session d
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet0/1
Uptime: 00:01:55
Session status: UP-ACTIVE
Peer: 10.1.0.100 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.1.0.100
Desc: (none)
IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.100/500 Active
Capabilities:(none) connid:1007 lifetime:23:58:03
IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 1173 drop 0 life (KB/Sec) 4255144/3484
Outbound: #pkts enc'ed 1217 drop 0 life (KB/Sec) 4255144/3484
R5#
5) check VPN status on r4 (backup):
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
IPv6 Crypto ISAKMP SA
R4#sh crypto session d
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet0/1
Session status: DOWN
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
R4#
6) check the current routing table on r2:
r2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.2.0.0/24 is directly connected, FastEthernet1/0
O E2 10.0.0.6/32 [110/20] via 10.2.0.3, 00:03:43, FastEthernet1/0
r2#
As we see everything looks good. Traffic initiated from r6 towards r2 brought up the backup vpn tunnel. Let’s test now what happens when r3 fails:
1) send traffic from r2 towards r6:
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!......................
2) check status on r3
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.0.100 10.1.0.5 QM_IDLE 1005 ACTIVE
IPv6 Crypto ISAKMP SA
R3#sh crypto session d
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet1/0
Uptime: 00:00:09
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.1.0.5
Desc: (none)
IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
Capabilities:(none) connid:1005 lifetime:23:59:49
IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 60 drop 0 life (KB/Sec) 4305992/3590
Outbound: #pkts enc'ed 58 drop 0 life (KB/Sec) 4305992/3590
R3#
3) check status on r5
R5#sh crypto session
Crypto session current status
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.1.0.100 port 500
IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.100/500 Active
IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
Active SAs: 2, origin: crypto map
R5#sh crypto session d
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet0/1
Uptime: 00:00:28
Session status: UP-ACTIVE
Peer: 10.1.0.100 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.1.0.100
Desc: (none)
IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.100/500 Active
Capabilities:(none) connid:1008 lifetime:23:59:30
IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 201 drop 0 life (KB/Sec) 4270150/3571
Outbound: #pkts enc'ed 207 drop 0 life (KB/Sec) 4270149/3571
R5#
4) shutdown fa0/0 on r3:
R3#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#int fa0/0
R3(config-if)#sh
R3(config-if)#
*Nov 10 18:10:17.651: %TRACKING-5-STATE: 1 interface Fa0/0 line-protocol Up->Down
*Nov 10 18:10:17.687: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.2 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Nov 10 18:10:17.691: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.4 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R3(config-if)#
*Nov 10 18:10:19.183: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 10 state Active -> Speak
R3(config-if)#
*Nov 10 18:10:19.647: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Nov 10 18:10:20.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
R3(config-if)#
*Nov 10 18:10:30.671: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 10 state Speak -> Standby
R3(config-if)#
5) check status on r4 (backup):
R4#
*Nov 10 18:10:18.567: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 10 state Standby -> Active
R4#
*Nov 10 18:10:19.083: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.1.0.100, prot=50, spi=0x33C217B(54272379), srcaddr=10.1.0.5, input interface=FastEthernet0/1
R4#
*Nov 10 18:10:31.107: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.1.0.5 has no SA and is not an initialization offer
R4#
*Nov 10 18:10:49.483: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.3 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R4#
R4#
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.0.100 10.1.0.5 QM_IDLE 1004 ACTIVE
IPv6 Crypto ISAKMP SA
R4#sh crypto ses
R4#sh crypto session d
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet0/1
Uptime: 00:02:43
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.1.0.5
Desc: (none)
IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
Capabilities:(none) connid:1004 lifetime:23:57:15
IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 715 drop 0 life (KB/Sec) 4193885/3436
Outbound: #pkts enc'ed 696 drop 0 life (KB/Sec) 4193888/3436
R4#
6) check once again ping on r6:
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!.................................
.....!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!.!!!!!!!!!!!!!!!!!!
Success rate is 93 percent (935/1000), round-trip min/avg/max = 32/83/176 ms
R6#
As we see the switchover took a while and I lost 39 packets. I enabled the fa0/0 interface on r3 to check how long it takes:
R3(config-if)#no sh
R3(config-if)#
*Nov 10 18:15:46.195: %TRACKING-5-STATE: 1 interface Fa0/0 line-protocol Down->Up
R3(config-if)#
*Nov 10 18:15:47.603: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 10 state Standby -> Active
*Nov 10 18:15:47.787: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.1.0.100, prot=50, spi=0xA1D3FE53(2715024979), srcaddr=10.1.0.5, input interface=FastEthernet1/0
R3(config-if)#
*Nov 10 18:15:48.183: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Nov 10 18:15:49.183: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#
*Nov 10 18:15:53.963: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.2 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Nov 10 18:15:54.139: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.4 on FastEthernet0/0 from LOADING to FULL, Loading Done
R3(config-if)#
*Nov 10 18:16:01.727: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.1.0.5 has no SA and is not an initialization offer
R3(config-if)#
and as you see I lost 41 packets:
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!........................
...............!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!
The main problem is time required to build the tunnel on the 2nd node:
*Nov 10 18:10:31.107: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.1.0.5 has no SA and is not an initialization offer
and we have to wait till the initialization starts.
We can add stateful feature to keep both tunnels up and the switchover should be much faster. Let’s check what is required to accomplish it.
I discovered I can’t implement IPC on my software:
R3(config)#ipc ?
buffers Resize ipc buffer pool
header-cache Resize IPC Permanent cache
holdq Configure IPC holdq parameters
zone Configure an IPC Zone
R3(config)#ipc z
R3(config)#ipc zone ?
default Configure the default Zone
R3(config)#ipc zone d
R3(config)#ipc zone default
R3(config-ipczone)#as
R3(config-ipczone)#association 1
R3(config-ipczone-assoc)#pr
R3(config-ipczone-assoc)#pr?
% Unrecognized command
R3(config-ipczone-assoc)#?
IPC Association Config commands
exit Exit IPC Association config mode
no Negate a command or set its defaults
shutdown Shutdown this association
R3(config-ipczone-assoc)#
I can’t enable ‘redundancy inter-device’ too:
R3(config)#red?
redirect
R3(config)#red
I have to change software on r3 and r4. The current version is:
R3#sh ver
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 28-Sep-12 14:39 by prod_rel_team
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)
R3 uptime is 1 hour, 42 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
Last reload reason: unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
The new one:
R4#sh ver
Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 07-Nov-12 18:15 by prod_rel_team
ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-ADVSECURITYK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
R4 uptime is 44 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
Last reload reason: unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
On r3 and r4 I have to add SSO:
!
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 10.1.0.4
remote-port 5000
remote-ip 10.1.0.3
!
and redundancy:
!
redundancy inter-device
scheme standby VPN
!
The crypto map has to be applied with additional parameter:
interface FastEthernet0/1
crypto map MAPA redundancy VPN stateful
!
Let’s test it once again:
1) send traffic
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 99 percent (448/450), round-trip min/avg/max = 32/83/156 ms
R6#
2) check the VPN status on r3:
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.0.100 10.1.0.5 QM_IDLE 1002 ACTIVE
IPv6 Crypto ISAKMP SA
R3#sh crypto session d
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet1/0
Uptime: 00:00:13
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 10.1.0.5
Desc: (none)
IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
Capabilities:(none) connid:1002 lifetime:23:59:45
IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 139 drop 0 life (KB/Sec) 4187230/3586
Outbound: #pkts enc'ed 138 drop 0 life (KB/Sec) 4187230/3586
R3#
3) check the VPN status on r4:
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.0.100 10.1.0.5 QM_IDLE 1002 STDBY
IPv6 Crypto ISAKMP SA
R4#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet0/1
Session status: UP-STANDBY
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
Capabilities:(none) connid:1002 lifetime:23:59:32
IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 3788414/3573
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4249214/3573
R4#
As you see the backup tunnel is up and ready to take control (UP-STANDBY). Let’s disable one interface on r3:
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
......!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.UUUUU....................!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!
Success rate is 85 percent (193/225), round-trip min/avg/max = 44/79/124 ms
R6#
on r3 I shutdown fa0/0 interface:
R3(config)#int fa0/0
R3(config-if)#sh
R3(config-if)#
*Nov 10 20:16:02.991: %TRACKING-5-STATE: 1 interface Fa0/0 line-protocol Up->Down
*Nov 10 20:16:03.023: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.2 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Nov 10 20:16:03.027: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.4 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R3(config-if)#
*Nov 10 20:16:04.987: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Nov 10 20:16:05.315: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 10 state Active -> Speak
*Nov 10 20:16:05.447: %RF-5-RF_RELOAD: Self reload. Reason: Not in correct state for becoming Standby
*Nov 10 20:16:05.451: %RF_INTERDEV-4-RELOAD: % RF induced self-reload. my state = ACTIVE peer state = STANDBY HOT
*Nov 10 20:16:05.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
R3(config-if)#
ROM: reload requested...
R4#
*Nov 10 20:16:05.491: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 10 state Standby -> Active
*Nov 10 20:16:05.659: %CRYPTO-5-IKE_SA_HA_STATUS: IKE sa's if any, for vip 10.1.0.100 will change from STANDBY to ACTIVE
*Nov 10 20:16:05.663: %CRYPTO-5-IPSEC_SA_HA_STATUS: IPSec sa's if any, for vip 10.1.0.100 will change from STANDBY to ACTIVE
R4#
R4#
*Nov 10 20:16:21.519: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.0.3 (FastEthernet0/1) is down: holding time expired
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id status
10.1.0.100 10.1.0.5 QM_IDLE 1001 ACTIVE
IPv6 Crypto ISAKMP SA
R4#sh crypto session d
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
Capabilities:(none) connid:1001 lifetime:23:59:18
IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 11 drop 0 life (KB/Sec) 3737248/3569
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4198050/3569
R4#
*Nov 10 20:16:39.283: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.3 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R4#
R4#
R4#sh crypto session d
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation
Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
Capabilities:(none) connid:1001 lifetime:23:58:54
IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 111 drop 0 life (KB/Sec) 3737233/3545
Outbound: #pkts enc'ed 92 drop 0 life (KB/Sec) 4198036/3545
R4#
As we see the switchover works fine and after 26 lost packets the backup tunnel was enabled. The ‘stateful’ feature keeps active sessions on both nodes, so users don’t lose their sessions.
More information you can find here: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white_paper_c11_472859.html
15
Kudos
15
Kudos