01-15-2008 07:40 AM - edited 02-21-2020 03:29 PM
I've c7200p-advsecurityk9-mz.124-15.T1.bin.
I've the same configuration IPSec statefull from IOS Security Configuration Guide Release 12.4
If I unpluged RJ45 from WAN or LAN interface on the Active router Standby router was restarting:
*Jan 15 05:02:42.827: %HSRP-5-STATECHANGE: GigabitEthernet0/2 Grp 1 state Standby -> Active
*Jan 15 05:02:42.827: %RF_INTERDEV-4-RELOAD: % RF induced self-reload
I have state on Standby router STANDBY COLD-BULK from 24 hours and it hasn't changed to STANDBY HOT:
7206vxr_2#show redundancy states
my state = 13 -ACTIVE
peer state = 7 -STANDBY COLD-BULK
Mode = Duplex
Unit ID = 0
Maintenance Mode = Disabled
Manual Swact = Disabled Reason: Progression in progress
Communications = Up
7206vxr_2#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst src state conn-id slot status
13.0.0.2 13.0.0.3 QM_IDLE 13001 0 ACTIVE
1.0.0.2 1.0.0.1 QM_IDLE 13002 0 STDBY
7206vxr_2#sh crypto ipsec sa
interface: GigabitEthernet0/1
Crypto map tag: M, local addr 1.0.0.2
protected vrf: (none)
local ident (addr/mask/prot/port): (13.0.0.0/255.255.255.0/0/0)
remote ident (addr/mask/prot/port): (12.0.0.0/255.255.255.0/0/0)
current_peer 1.0.0.1 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 0, #recv errors 0
local crypto endpt.: 1.0.0.2, remote crypto endpt.: 1.0.0.1
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1
current outbound spi: 0xBBF7A57F(3153569151)
inbound esp sas:
spi: 0xDC8A107E(3700035710)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2015, flow_id: VAM2+:15, crypto map: M
sa timing: remaining key lifetime (k/sec): (4023439/1282)
HA KB life last update received (k): (4023439)
IV size: 16 bytes
replay detection support: Y
Status: STANDBY
inbound ah sas:
inbound pcp sas:
outbound esp sas:
spi: 0xBBF7A57F(3153569151)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2016, flow_id: VAM2+:16, crypto map: M
sa timing: remaining key lifetime (k/sec): (4023439/1278)
HA KB life last update received (k): (4023439)
IV size: 16 bytes
replay detection support: Y
Status: STANDBY
outbound ah sas:
outbound pcp sas:
interface: GigabitEthernet0/2
Crypto map tag: GigabitEthernet0/2-head-0, local addr 13.0.0.3
protected vrf: (none)
local ident (addr/mask/prot/port): (13.0.0.3/255.255.255.255/132/5000)
remote ident (addr/mask/prot/port): (13.0.0.2/255.255.255.255/132/5000)
current_peer 13.0.0.2 port 500
PERMIT, flags={origin_is_acl,}
#pkts encaps: 7659, #pkts encrypt: 7659, #pkts digest: 7659
#pkts decaps: 5699, #pkts decrypt: 5699, #pkts verify: 5699
#pkts compressed: 0, #pkts decompressed: 0
#pkts not compressed: 0, #pkts compr. failed: 0
#pkts not decompressed: 0, #pkts decompress failed: 0
#send errors 19, #recv errors 0
local crypto endpt.: 13.0.0.3, remote crypto endpt.: 13.0.0.2
path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2
current outbound spi: 0xE8FD1A3B(3908901435)
inbound esp sas:
spi: 0xAD56BC4B(2908142667)
transform: esp-aes esp-sha-hmac ,
in use settings ={Tunnel, }
conn id: 2019, flow_id: VAM2+:19, crypto map: GigabitEthernet0/2-head-0
sa timing: remaining key lifetime (k/sec): (4573671/2721)
IV size: 16 bytes
...
01-15-2008 09:23 AM
Welcome to the world of IPSec Stateful
failover with Cisco IOS.
The product is very buggy to say the least.
I currently have a open TAC case with cisco
on this. Even Cisco TAC engineers don't know
much about IPSec stateful on IOS either.
My ticket has been opened for almost 2 months
without any resolution. By the way, I am
using 12.4.16, latest I think.
The reload you saw is what cisco considered
"normal" in stateful IPSec failover, scary
isn't it? Currently, my IPSec stateful
isn't working. In other words,
when I issue "show crypto isakmp sa" on the
standby router, I have NO "QM_IDLE".
If you want a stable IPSec stateful failover
configuration, I suggest you go with
either Checkpoint firewalls or Pix. Stateful
failover IPSec on Cisco IOS is not something
you would want to use on a production
environment.
CCIE Security
01-16-2008 05:08 AM
Too late, I bought two routers I will have to configure separately two routers.
If have you got any answer from TAC can you read to me email (tomek_999@o2.pl)?
--
Thanks
Tom
07-14-2008 09:21 AM
Hello,
we have been a little more lucky we see QM_IDLE on the standby but we opened also a case TAC, because every day most of the remote sites experience loss of connectivity for two minutes and 5 /6 times per day. All the ipsec / isakmp negotiation has to be done again.
Our hw config is the same two 7206VXR with NPE-G2 and VAM2+.
I confirm we also get the self induced reload on both routers
RT-RM-TLD066-NEW-VPN-1 uptime is 5 days, 23 hours, 4 minutes
System returned to ROM by reload at 20:04:46 MEST Tue Jul 8 2008
System restarted at 20:06:09 MEST Tue Jul 8 2008
System image file is "disk2:c7200p-advsecurityk9-mz.124-4.XD3.bin"
>>Last reload reason: Self induced reload
RT-RM-TLD066-NEW-VPN-2 uptime is 5 days, 23 hours, 10 minutes
System returned to ROM by reload at 19:59:58 MEST Tue Jul 8 2008
System restarted at 20:01:21 MEST Tue Jul 8 2008
System image file is "disk2:c7200p-advsecurityk9-mz.124-4.XD3.bin"
>>Last reload reason: Self induced reload
We are trying to collect debug info for the TAC people.
We tried to change the active router but all we get were the reloads. The behaviour doesn't change.
We used the following link as a reference
http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gt_topht.html#wp1054176
Best Regards
Giuseppe
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: