IPSec with HSRP failover - have to clear session to work

dodgerfan78 · ‎12-21-2007

Hello,

Topology:

R1---R2----(HSRP)R3/R4----R5

I have set up a router (R2) to have an ipsec tunnel to an HSRP address.

The HSRP routers are R3 and R4.

When R1 sends pings to R5 the tunnel comes up.

R3 is the active router and when I run "show crypto isakmp sa" it is QM_IDLE which is good.

When I shut R3's interface (HSRP interface) I get this on R4:

*Mar 1 02:12:32.563: %HSRP-6-STATECHANGE: FastEthernet2/0 Grp 1 state Standby -> Active

*Mar 1 02:12:33.675: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid

spi for destaddr=172.12.234.34, prot=50, spi=0x418AEB73(1099623283), srcaddr=172.12.234.2

*Mar 1 02:12:33.687: ISAKMP: received ke message (3/1)

*Mar 1 02:12:33.687: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src

172.12.234.34 dst 172.12.234.2 for SPI 0x418AEB73

*Mar 1 02:12:39.691: ISAKMP: received ke message (3/1)

*Mar 1 02:12:39.695: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src

172.12.234.34 dst 172.12.234.2 for SPI 0x418AEB73

R4#

If I run "clear crypto session" on R2 the tunnel immediately comes up.

Any ideas how to have R2 clear the session on it's own so HSRP/IPSec can failover automatically?

Thanks,

Bryan

dodgerfan78 · ‎12-21-2007

What is more strange is that when I shutdown the interface pointing to R5, failover works great. On the R5 side I have OSPF running with RRI on R3 and R4.

-Bryan

dodgerfan78 · ‎12-22-2007

I got it to work when I enabled periodic DPD. When I turned periodic DPD off it was still working...strange, but it seems DPD is the key and it makes sense. When the encrypted DPD keepalives aren't returned, the SA will eventually be deleted. Then any new traffic will cause new SAs to be established.