IPSec stateful doesn't work (7200vxr,NPE-G2,VAM2+)

tomasz.tuzimek · ‎01-15-2008

I've c7200p-advsecurityk9-mz.124-15.T1.bin.

I've the same configuration IPSec statefull from IOS Security Configuration Guide Release 12.4

If I unpluged RJ45 from WAN or LAN interface on the Active router Standby router was restarting:

*Jan 15 05:02:42.827: %HSRP-5-STATECHANGE: GigabitEthernet0/2 Grp 1 state Standby -> Active

*Jan 15 05:02:42.827: %RF_INTERDEV-4-RELOAD: % RF induced self-reload

I have state on Standby router STANDBY COLD-BULK from 24 hours and it hasn't changed to STANDBY HOT:

7206vxr_2#show redundancy states

my state = 13 -ACTIVE

peer state = 7 -STANDBY COLD-BULK

Mode = Duplex

Unit ID = 0

Maintenance Mode = Disabled

Manual Swact = Disabled Reason: Progression in progress

Communications = Up

7206vxr_2#sh crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id slot status

13.0.0.2 13.0.0.3 QM_IDLE 13001 0 ACTIVE

1.0.0.2 1.0.0.1 QM_IDLE 13002 0 STDBY

7206vxr_2#sh crypto ipsec sa

interface: GigabitEthernet0/1

Crypto map tag: M, local addr 1.0.0.2

protected vrf: (none)

local ident (addr/mask/prot/port): (13.0.0.0/255.255.255.0/0/0)

remote ident (addr/mask/prot/port): (12.0.0.0/255.255.255.0/0/0)

current_peer 1.0.0.1 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0

#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 0, #recv errors 0

local crypto endpt.: 1.0.0.2, remote crypto endpt.: 1.0.0.1

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/1

current outbound spi: 0xBBF7A57F(3153569151)

inbound esp sas:

spi: 0xDC8A107E(3700035710)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2015, flow_id: VAM2+:15, crypto map: M

sa timing: remaining key lifetime (k/sec): (4023439/1282)

HA KB life last update received (k): (4023439)

IV size: 16 bytes

replay detection support: Y

Status: STANDBY

inbound ah sas:

inbound pcp sas:

outbound esp sas:

spi: 0xBBF7A57F(3153569151)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2016, flow_id: VAM2+:16, crypto map: M

sa timing: remaining key lifetime (k/sec): (4023439/1278)

HA KB life last update received (k): (4023439)

IV size: 16 bytes

replay detection support: Y

Status: STANDBY

outbound ah sas:

outbound pcp sas:

interface: GigabitEthernet0/2

Crypto map tag: GigabitEthernet0/2-head-0, local addr 13.0.0.3

protected vrf: (none)

local ident (addr/mask/prot/port): (13.0.0.3/255.255.255.255/132/5000)

remote ident (addr/mask/prot/port): (13.0.0.2/255.255.255.255/132/5000)

current_peer 13.0.0.2 port 500

PERMIT, flags={origin_is_acl,}

#pkts encaps: 7659, #pkts encrypt: 7659, #pkts digest: 7659

#pkts decaps: 5699, #pkts decrypt: 5699, #pkts verify: 5699

#pkts compressed: 0, #pkts decompressed: 0

#pkts not compressed: 0, #pkts compr. failed: 0

#pkts not decompressed: 0, #pkts decompress failed: 0

#send errors 19, #recv errors 0

local crypto endpt.: 13.0.0.3, remote crypto endpt.: 13.0.0.2

path mtu 1500, ip mtu 1500, ip mtu idb GigabitEthernet0/2

current outbound spi: 0xE8FD1A3B(3908901435)

inbound esp sas:

spi: 0xAD56BC4B(2908142667)

transform: esp-aes esp-sha-hmac ,

in use settings ={Tunnel, }

conn id: 2019, flow_id: VAM2+:19, crypto map: GigabitEthernet0/2-head-0

sa timing: remaining key lifetime (k/sec): (4573671/2721)

IV size: 16 bytes

...

cisco24x7 · ‎01-15-2008

Welcome to the world of IPSec Stateful

failover with Cisco IOS.

The product is very buggy to say the least.

I currently have a open TAC case with cisco

on this. Even Cisco TAC engineers don't know

much about IPSec stateful on IOS either.

My ticket has been opened for almost 2 months

without any resolution. By the way, I am

using 12.4.16, latest I think.

The reload you saw is what cisco considered

"normal" in stateful IPSec failover, scary

isn't it? Currently, my IPSec stateful

isn't working. In other words,

when I issue "show crypto isakmp sa" on the

standby router, I have NO "QM_IDLE".

If you want a stable IPSec stateful failover

configuration, I suggest you go with

either Checkpoint firewalls or Pix. Stateful

failover IPSec on Cisco IOS is not something

you would want to use on a production

environment.

CCIE Security

tomasz.tuzimek · ‎01-16-2008

Too late, I bought two routers I will have to configure separately two routers.

If have you got any answer from TAC can you read to me email (tomek_999@o2.pl)?

--

Thanks

Tom

Giuseppe Larosa · ‎07-14-2008

Hello,

we have been a little more lucky we see QM_IDLE on the standby but we opened also a case TAC, because every day most of the remote sites experience loss of connectivity for two minutes and 5 /6 times per day. All the ipsec / isakmp negotiation has to be done again.

Our hw config is the same two 7206VXR with NPE-G2 and VAM2+.

I confirm we also get the self induced reload on both routers

RT-RM-TLD066-NEW-VPN-1 uptime is 5 days, 23 hours, 4 minutes

System returned to ROM by reload at 20:04:46 MEST Tue Jul 8 2008

System restarted at 20:06:09 MEST Tue Jul 8 2008

System image file is "disk2:c7200p-advsecurityk9-mz.124-4.XD3.bin"

>>Last reload reason: Self induced reload

RT-RM-TLD066-NEW-VPN-2 uptime is 5 days, 23 hours, 10 minutes

System returned to ROM by reload at 19:59:58 MEST Tue Jul 8 2008

System restarted at 20:01:21 MEST Tue Jul 8 2008

System image file is "disk2:c7200p-advsecurityk9-mz.124-4.XD3.bin"

>>Last reload reason: Self induced reload

We are trying to collect debug info for the TAC people.

We tried to change the active router but all we get were the reloads. The behaviour doesn't change.

We used the following link as a reference

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t11/feature/guide/gt_topht.html#wp1054176

Best Regards

Giuseppe