cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
437
Views
0
Helpful
7
Replies

vpn failback

peter.williams
Level 1
Level 1

I am using tracking on the default routes to help track the failover for the VPN tunnel. However when the interface comes back up, the VPN tunnel does not failback to it. Is there something that I need to put in for the VPN tunnel to failback?

7 Replies 7

Richard Burts
Hall of Fame
Hall of Fame

Peter

Perhaps if you provide some config details about how normal routing is configured, how you track, and how you configure failover and failback, then we might be able to give better advice about how to solve this problem.

HTH

Rick

HTH

Rick

I am using OSPF and SLA tracking. When the primary interface comes up the l2l vpn does not end on the secondary interface and start on the primary interface. If I do a clear crypto sa, then the vpn tunnel will come up on the primary interface

ip sla monitor 1

type echo protocol ipIcmpEcho xxx.xxx.xxx.xxx(Primary interface IP address)

ip sla monitor schedule 1 life forever start-time now

router ospf 68

router-id 10.68.1.3

log-adjacency-changes

network 10.68.0.0 0.0.255.255 area 0

network 172.16.68.0 0.0.0.255 area 0

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer1 200

ip route 10.0.255.1 255.255.255.255 Dialer0

ip route 10.0.255.1 255.255.255.255 Dialer1 200

Peter

What you have posted looks like a fairly effective implementation to manage routes so that the primary static default route is over Dialer0 and if there is a failure it should fail over to Dialer1.

But I still do not understand well what your problem is. In the original post I thought I understood that you have configured an IPSec VPN and that you wanted it to take a backup route if the primary failed. In your more recent description it sounds more like there are two different tunnels. Is that the case? Perhaps you can supply some more detail about how the IPSec is set up and what the problem is.

HTH

Rick

HTH

Rick

Hi Rick,

The failover for the VPN works now (but did not when I posted this) however when the primary comes back up then the VPN tunnel does not fail back automatically, is this something that should happen automatically or not? Is there something else I need to add to the configuration for this to happen?

Thank you for your replies, sorry for the confusion.

Peter

I am glad that the failover is now working. I am guessing that it should not automatically fail back. I am guessing that the default is to wait for the IPSec SA to expire (lifetime expiration) for it to fail back. But since I do not know how you have it configured it is just a guess at this point.

HTH

Rick

HTH

Rick

Rick,

Here is the configuration, if ther is anyway of changing the SA lifetime, please let me know

Thank you Pete

crypto isakmp policy 1

encr 3des

authentication pre-share

group 2

crypto isakmp key nothing address xxx.xxx.xxx.xxx

no crypto isakmp ccm

!

!

crypto ipsec transform-set WAI-PIX esp-3des esp-sha-hmac

!

crypto map VPN_TUNNEL 10 ipsec-isakmp

set peer xxx.xxx.xxx.xxx

set transform-set WAI-PIX

match address TUNNEL

!

!

ip classless

ip route 0.0.0.0 0.0.0.0 Dialer0 track 1

ip route 0.0.0.0 0.0.0.0 Dialer1 200

ip route 10.0.255.1 255.255.255.255 Dialer0

ip route 10.0.255.1 255.255.255.255 Dialer1 200

!

Did anyone ever figure out how to fail back a VPN tunnel?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco