09-07-2007 05:40 AM - edited 03-03-2019 06:39 PM
I am using tracking on the default routes to help track the failover for the VPN tunnel. However when the interface comes back up, the VPN tunnel does not failback to it. Is there something that I need to put in for the VPN tunnel to failback?
09-07-2007 08:22 AM
Peter
Perhaps if you provide some config details about how normal routing is configured, how you track, and how you configure failover and failback, then we might be able to give better advice about how to solve this problem.
HTH
Rick
09-10-2007 11:29 AM
I am using OSPF and SLA tracking. When the primary interface comes up the l2l vpn does not end on the secondary interface and start on the primary interface. If I do a clear crypto sa, then the vpn tunnel will come up on the primary interface
ip sla monitor 1
type echo protocol ipIcmpEcho xxx.xxx.xxx.xxx(Primary interface IP address)
ip sla monitor schedule 1 life forever start-time now
router ospf 68
router-id 10.68.1.3
log-adjacency-changes
network 10.68.0.0 0.0.255.255 area 0
network 172.16.68.0 0.0.0.255 area 0
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 200
ip route 10.0.255.1 255.255.255.255 Dialer0
ip route 10.0.255.1 255.255.255.255 Dialer1 200
09-10-2007 11:59 AM
Peter
What you have posted looks like a fairly effective implementation to manage routes so that the primary static default route is over Dialer0 and if there is a failure it should fail over to Dialer1.
But I still do not understand well what your problem is. In the original post I thought I understood that you have configured an IPSec VPN and that you wanted it to take a backup route if the primary failed. In your more recent description it sounds more like there are two different tunnels. Is that the case? Perhaps you can supply some more detail about how the IPSec is set up and what the problem is.
HTH
Rick
09-11-2007 07:20 AM
Hi Rick,
The failover for the VPN works now (but did not when I posted this) however when the primary comes back up then the VPN tunnel does not fail back automatically, is this something that should happen automatically or not? Is there something else I need to add to the configuration for this to happen?
Thank you for your replies, sorry for the confusion.
09-11-2007 07:38 AM
Peter
I am glad that the failover is now working. I am guessing that it should not automatically fail back. I am guessing that the default is to wait for the IPSec SA to expire (lifetime expiration) for it to fail back. But since I do not know how you have it configured it is just a guess at this point.
HTH
Rick
09-11-2007 07:47 AM
Rick,
Here is the configuration, if ther is anyway of changing the SA lifetime, please let me know
Thank you Pete
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp key nothing address xxx.xxx.xxx.xxx
no crypto isakmp ccm
!
!
crypto ipsec transform-set WAI-PIX esp-3des esp-sha-hmac
!
crypto map VPN_TUNNEL 10 ipsec-isakmp
set peer xxx.xxx.xxx.xxx
set transform-set WAI-PIX
match address TUNNEL
!
!
ip classless
ip route 0.0.0.0 0.0.0.0 Dialer0 track 1
ip route 0.0.0.0 0.0.0.0 Dialer1 200
ip route 10.0.255.1 255.255.255.255 Dialer0
ip route 10.0.255.1 255.255.255.255 Dialer1 200
!
10-04-2007 09:40 AM
Did anyone ever figure out how to fail back a VPN tunnel?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: