Hi all, I need to warn you that I'm kind of new to the Cisco world, and of course my introduction has been a little rough.
I've been trying to configure a pair of 6500's with FWSM's and VPN SPA's in them to work together in a stateful active/standby configuration. The kicker is that I'm also using VRF. I've attached a diagram of the architecture I'm dealing with.
If you refer to the diagram, my problems are:
- from the test PC I have in the private VLAN (VLAN 298) behind the FWSM I can ping all the interfaces on both 6500's all the way through until I reach the VPN SPA and then I cannot ping any further. I am unable to reach my ISP's HSRP interface or any other addresses in the network behind those interfaces.
- from each 6500 they are unable to ping the other's "public" addresses that are on the same subnet as my ISP's routers.
- the State-Syncronization-Protocol (SSP) channel is not connecting.
- a test VPN to a peer that is behind my ISP's routers is not initiating. It's not even attempting a key exchange.
If you've looked at the diagram you may be wondering about the purpose of the connection I have from gi1/2 to gi1/3. This is a crossover cable that connects the gi1/3 routed port to a gi1/2 switchport that is a member of my public VLAN (VLAN 40). Originally I had my public VLAN as the public interface on the VPN SPA. While my SSP channel did connect and both 6500's could ping each other on that VLAN interface, I was still unable to ping my ISP's routers and my VPN wasn't coming up. So I switched to using a physical interface as my public interface on the VPN SPA (gi1/3) because this is closer to the example that I based my configuration on.
I based a lot of my configuration using the VRF-Aware IPSec Chassis-to-Chassis Stateful Failover example in the Configuration Catalyst 6500 Series Switch SIP, SSC, and SPA Software Configuration Guide (page 25-208). The configurations look pretty close, and I've attached them here for your inspection.
If anyone has any ideas on where I might be going wrong I'd be eternally greatful. I have a project that is going to depend on these and my window for testing is closing pretty rapidly. And I do have a TAC call in right now, but it's been over 3 weeks without resolution. :(