Stateful Switchover SSO

Unanswered Question
Jan 23rd, 2009
User Badges:
  • Gold, 750 points or more

Hello,


I have SSO configured on my router. What if my primary RP went down; will it affect my IGP/BGP as well as MPLS LDP? Will LDP have to learn all the new labels or not?


thanks,

Devang Patel

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Giuseppe Larosa Sat, 01/24/2009 - 03:04
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

Hello Devang,

the standby supervisor learns from the active supervisor all the routing information this is the meaning of stateful.

So when switchover happens the standby doesn't start from nothing but takes control of linecards and attempts to pretend to be the same device with all neighbors


see


"Configuration information and data structures are synchronized from the active to the redundant supervisor engine at startup and whenever changes to the active supervisor engine configuration occur. Following an initial synchronization between the two supervisor engines, SSO maintains state information between them, including forwarding information.


During switchover, system control and routing protocol execution is transferred from the active supervisor engine to the redundant supervisor engine. The switch requires between 0 and 3 seconds to switchover from the active to the redundant supervisor engine."


http://www.cisco.com/en/US/docs/routers/7600/ios/12.2SXF/configuration/guide/nsfsso.html#wp1097378


Otherwise it would take much longer to perform switchover as happens with other redundancy strategies like RPR and RPR+


Think they have a communication channel (a socket )between them to report all info.


Hope to help

Giuseppe


satavee_sjw Wed, 10/22/2014 - 02:03
User Badges:

Hi, 

  Just bought new 3925 for IPsec-SSO. 

   Anyone try IPSEC with SSO on 3925 IOS 15.2 (or 15.4) , I spent almost two weeks (follow instruction as attached whitepaper) but no luck.  This is instruction is ok with cisco3725 (IOS 12.4).

   But when I tried on 3925, the standby router seem to delete IPsec SA that received from HA Manager. 

 

   I've show redundancy states , show redundancy inter-device    and debug result on standby router(VPN2)...as below..

VPN2#sh redundancy states
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is hardware calendar, *15:54:06.591 BKK Wed Oct 22 2014
       my state = 8  -STANDBY HOT
     peer state = 13 -ACTIVE
           Mode = Duplex
        Unit ID = 0

     Maintenance Mode = Disabled
    Manual Swact = cannot be initiated from this the standby unit
 Communications = Up

   client count = 15
 client_notification_TMR = 60000 milliseconds
           RF debug mask = 0x0  


VPN2#sh redundancy inter-device
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is hardware calendar, *15:54:12.599 BKK Wed Oct 22 2014

Redundancy inter-device state: RF_INTERDEV_STATE_STDBY
  Scheme: Standby
      Groupname: ha-out Group State: Standby
  Peer present: RF_INTERDEV_PEER_COMM
  Security: Not configured
VPN2#

----debug--

*Oct 22 08:27:24.359: Processing HA Message 0:
*Oct 22 08:27:24.359: IPSec HA: Got bundle insert msg
*Oct 22 08:27:24.359: IPSec HA (crypto_ha_ipsec_mgr_recv_add_sas): HA mgr wants to insert the following bundle
*Oct 22 08:27:24.359: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 22 08:27:24.359: Crypto mapdb : proxy_match
        src addr     : 172.16.255.0
        dst addr     : 172.80.0.0
        protocol     : 256
        src port     : 0
        dst port     : 0
*Oct 22 08:27:24.359: IPSEC(crypto_ipsec_create_ipsec_sas): Map found dynmap, 1
*Oct 22 08:27:24.359: IPSec HA (crypto_ha_ipsec_notify_delete_sa): called
 
*Oct 22 08:27:24.359: IPSec HA (crypto_ha_ipsec_notify_delete_sa): operation not performed as standby
*Oct 22 08:27:24.359: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 154E9BCC
*Oct 22 08:27:24.359: IPSEC(update_current_outbound_sa): updated peer 10.11.64.10 current outbound sa to SPI 0
*Oct 22 08:27:24.359: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :10553F0
*Oct 22 08:27:24.359: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
*Oct 22 08:27:24.359: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
VPN2#sh cry is sa
Load for five secs: 2%/0%; one minute: 1%; five minutes: 0%
Time source is hardware calendar, *15:27:36.679 BKK Wed Oct 22 2014
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
192.168.200.85  10.11.64.10     QM_IDLE          29006 STDBY 
 
IPv6 Crypto ISAKMP SA
 
VPN2#sh cry ipsec sa
Load for five secs: 1%/0%; one minute: 1%; five minutes: 0%
Time source is hardware calendar, *15:27:43.071 BKK Wed Oct 22 2014
 
VPN2#sh cry map
Load for five secs: 0%/0%; one minute: 1%; five minutes: 0%
Time source is hardware calendar, *15:27:45.615 BKK Wed Oct 22 2014
 
Crypto Map IPv4 "ha_dynamic" 1 ipsec-isakmp
        Dynamic map template tag: dynmap
        Interfaces using crypto map ha_dynamic:
                GigabitEthernet0/1
 
        Redundancy Status:
                Group: ha-out,  Type: Stateful HA,  VIP: 192.168.200.85
                Replay-interval: inbound:10  outbound:10000
 
VPN2#

 

   pls let me know if you have idea or required details.

 

Thanks in advances.

Satavee

 

 

 

Laurent Aubert Mon, 01/26/2009 - 17:46
User Badges:
  • Cisco Employee,

Hi Devang,


SSO allows you to keep all Line Card interfaces UP/UP during the switchover so your neighbors will not bring down their routing adj because of an interface flap.


SSO is associated to NSR (Non Stop Routing) which freezes the cef table on the LC. As a reminder all the transit traffic is switched by the LC. So NSR allows a de-synchronization between the control plane and the forwarding plane during the switchover. It's important because you lost your control plane during the switchover.


The last piece is GR support of IGP/BGP and LDP so when your standby becomes active, it will request the help of its routing peers to re-build its control plane without dropping the adj


You need all those pieces to achieve 0-3s packets lost during a switchover. NSR is activated as soon as SSO is UP and Running but you need to configure GR for your routing protocols.


HTH


Laurent.

Racquel_Mays Thu, 12/01/2011 - 10:17
User Badges:

I configured SSO on a 3925 IOS 15.1 using a doc that wat titled Stateful Failover for IPsec.  I am not using IPsec so I did not configure the IPsec part.  However, my goal is maintain state information between my two routers in an active/standby pairing.  The routers both are configured for NAT so the standby must maintain the state informatio present on the active router.  Will SSO provide what I seek?  I can not seem to find any information in SSO for 3900 ISR routers that dont include IPsec.


Plase advise.

Laurent Aubert Thu, 12/01/2011 - 11:40
User Badges:
  • Cisco Employee,

Hi,


On those lower platform, SSO is per feature only. So SSO for IPSec can't be used for other feature like NAT. For NAT we used to have SNAT (Stateful NAT) but it has been deprecated and SNAT is now only supported on ASA paltform


http://www.cisco.com/en/US/partner/prod/collateral/iosswrel/ps6537/ps6586/ps6640/end_of_life_notice_c51-611706.html


Thanks,

Laurent.

nirav_6996 Thu, 12/01/2011 - 23:34
User Badges:

Dear Devang,


Laurent & Giuseppe are right.




Reg,

Nirav Patel

Actions

This Discussion