Help with IPSec stateful (aka sso Inter Process Communication)

Unanswered Question
Nov 28th, 2007

I need help from experts in this forum:

I have a pair of Cisco VXR7206 running IOS version

c7200-jk9s-mz.124-10a.bin. I setup this pair of

routers for stateful IPSec failover. In other words,

if the Active router is rebooted, the standby router

will take over and the VPN tunnel will stay up. The

remote VPN peer only sees the HSRP of this device.

The VPN is up and running but on the standby router,

these commands show up nothing. Not only that, when

I reboot the Active router the VPN tunnel goes down.

Any ideas?

PLN_VPN_1#sh stand

FastEthernet0/0 - Group 10

State is Standby

1 state change, last state change 00:22:11

Virtual IP address is 10.109.114.99

Active virtual MAC address is 0000.0c07.ac0a

Local virtual MAC address is 0000.0c07.ac0a (v1 default)

Hello time 3 sec (cfgd 15 sec), hold time 10 sec (cfgd 45 sec)

Next hello sent in 0.524 secs

Authentication text "EXTERNAL"

Preemption enabled

Active router is 10.109.114.101, priority 100 (expires in 9.296 sec)

Standby router is local

Priority 100 (default 100)

Track interface FastEthernet1/0 state Up decrement 10

IP redundancy name is "EXTERNAL" (cfgd)

FastEthernet1/0 - Group 20

State is Standby

1 state change, last state change 00:22:11

Virtual IP address is 10.250.97.1

Active virtual MAC address is 0000.0c07.ac14

Local virtual MAC address is 0000.0c07.ac14 (v1 default)

Hello time 3 sec (cfgd 15 sec), hold time 10 sec (cfgd 45 sec)

Next hello sent in 0.524 secs

Authentication text "INTERNAL"

Preemption enabled

Active router is 10.250.97.3, priority 100 (expires in 9.628 sec)

Standby router is local

Priority 100 (default 100)

Track interface FastEthernet0/0 state Up decrement 10

IP redundancy name is "INTERNAL" (cfgd)

PLN_VPN_1#sh crypto ha

IKE VIP: 10.109.114.99

stamp: Not set

IPSec VIP: 10.109.114.99

PLN_VPN_1#sh crypto isakmp sa

dst src state conn-id slot status

PLN_VPN_1#sh crypto ipsec sa stand

No SAs found

PLN_VPN_1#sh crypto session stand

PLN_VPN_1#sh crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: FastEthernet0/0

Session status: DOWN

Peer: 198.147.10.193 port 500 fvrf: (none) ivrf: (none)

Desc: (none)

Phase1_id: (none)

IPSEC FLOW: permit ip 10.250.97.0/255.255.255.0 192.168.1.0/255.255.255.0

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

Interface: FastEthernet0/0

Session status: DOWN

Peer: 10.109.114.101 port 500 fvrf: (none) ivrf: (none)

Desc: (none)

Phase1_id: (none)

IPSEC FLOW: permit 132 host 10.109.114.100 port 5000 host 10.109.114.101 port 5000

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 728 life (KB/Sec) 0/0

IPSEC FLOW: permit 132 host 10.109.114.100 port 5001 host 10.109.114.101 port 5001

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 728 life (KB/Sec) 0/0

PLN_VPN_1#

Can some help? Thanks

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kevin.jones1 Wed, 11/28/2007 - 08:23

PLN_VPN_2#sh stand

FastEthernet1/0 - Group 10

State is Active

2 state changes, last state change 00:34:28

Virtual IP address is 10.109.114.99

Active virtual MAC address is 0000.0c07.ac0a

Local virtual MAC address is 0000.0c07.ac0a (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 2.052 secs

Authentication text "EXTERNAL"

Preemption enabled

Active router is local

Standby router is 10.109.114.100, priority 100 (expires in 7.276 sec)

Priority 100 (default 100)

Track interface FastEthernet1/1 state Up decrement 10

IP redundancy name is "EXTERNAL" (cfgd)

FastEthernet1/1 - Group 20

State is Active

2 state changes, last state change 00:34:28

Virtual IP address is 10.250.97.1

Active virtual MAC address is 0000.0c07.ac14

Local virtual MAC address is 0000.0c07.ac14 (v1 default)

Hello time 3 sec, hold time 10 sec

Next hello sent in 2.388 secs

Authentication text "INTERNAL"

Preemption enabled

Active router is local

Standby router is 10.250.97.2, priority 100 (expires in 7.276 sec)

Priority 100 (default 100)

Track interface FastEthernet1/0 state Up decrement 10

IP redundancy name is "INTERNAL" (cfgd)

PLN_VPN_2#sh crypto isakmp sa

dst src state conn-id slot status

198.147.10.193 10.109.114.99 QM_IDLE 1 0 ACTIVE

PLN_VPN_2#sh crypto ha

IKE VIP: 10.109.114.99

stamp: A7 84 38 8C C5 64 49 F6 F7 9A 35 40 FE 33 F1 FB

IPSec VIP: 10.109.114.99

PLN_VPN_2#sh crypto session detail

Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection

K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication

Interface: FastEthernet1/0

Session status: UP-ACTIVE

Peer: 198.147.10.193 port 500 fvrf: (none) ivrf: (none)

Phase1_id: 198.147.10.193

Desc: (none)

IKE SA: local 10.109.114.99/500 remote 198.147.10.193/500 Active

Capabilities:(none) connid:1 lifetime:23:27:22

IPSEC FLOW: permit ip 10.250.97.0/255.255.255.0 192.168.1.0/255.255.255.0

Active SAs: 2, origin: crypto map

Inbound: #pkts dec'ed 172406 drop 0 life (KB/Sec) 4393312/1899

Outbound: #pkts enc'ed 172406 drop 2 life (KB/Sec) 4393312/1899

Interface: FastEthernet1/0

Session status: DOWN

Peer: 10.109.114.100 port 500 fvrf: (none) ivrf: (none)

Desc: (none)

Phase1_id: (none)

IPSEC FLOW: permit 132 host 10.109.114.101 port 5000 host 10.109.114.100 port 5000

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 1031 life (KB/Sec) 0/0

IPSEC FLOW: permit 132 host 10.109.114.101 port 5001 host 10.109.114.100 port 5001

Active SAs: 0, origin: crypto map

Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0

Outbound: #pkts enc'ed 0 drop 1031 life (KB/Sec) 0/0

PLN_VPN_2#ping 10.109.114.100

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.109.114.100, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

PLN_VPN_2#

bauer.juergen Wed, 11/28/2007 - 08:45

did you try the "redundancy standby-group-name stateful" command under your crypto ipsec profile?

regards,

juergen

kevin.jones1 Wed, 11/28/2007 - 09:36

that command is NOT needed. I added it in

anyway but it still does not work.

I would like to get opinions from experts who

actually deploy this in their production

enviroments and verify that this crap from

cisco is actually working as claimed by Cisco.

Actions

This Discussion