IPSec VPN - 2 x Set Peers

Unanswered Question
Jan 24th, 2009


I have problem configuring site-to-site VPN tunnel on Cisco ISR Router 3825 (used at DC) & 2811 (used at Branches and Aggregation Points) routers.

Branches connect to the Aggregation Point (in short I call it AP) and Aggregation Points connect to the Data Center. Primary Leased line connectivity of the AP connects to the DCR1 and Backup ISDN connects to the DCR2.

Note: Routing is absolutely perfect and there are no issues.

But, i'm facing problem when configuring site-to-site VPN. I have configured 2 x Set Peers on the Branch's crypto map which I have applied on the outgoing Leased Line serial interface. The first Set Peer is the Serial Leased Line of the DCR1 which actually connects the AP's Serial Leased Line interface and the second Set Peer is the Dialer Interface of the DCR2 which connects the AP's Dialer interface.

Reason to configure 2 x Set Peers on the Branch Routers is: Since the Branch Router is not directly connected to the DC, the Branch traffic has to be encrypted till it reaches the DC. So, if the AP's Primary Leased Line fails - the Branch has to switch over the VPN connectivity to the DC through the AP's ISDN Backup. In short, it means that VPN connectivity will switch over to the DCR2 from DCR1 when the AP's Leased Line connectivity failure.

When the primary leased line of the AP connecting to the DCR1 fails, the Branch will not try to establish VPN connectivity with the DCR2 (the 2nd Set Peer configured under the Crypto Map) - until I remove the crypto map and reapply it on the Branch's Serial 0/0 interface.

What can I do to solve this problem, without removing and reapplying manually the crypto map from the Branch's Serial 0/0 interface.

Please Note: Problem is with VPN Source as Branch's Serial Interface and VPN Destination is DCR1 & DCR2.

Please find the attached Network Diagram with configuration output and Debug output which I found that even when the Branch has lost its VPN connectivity with DCR1 - it is still trying to establish the VPN Connectivity with the 1st set peer, instead of trying the 2nd set peer. After removing the and reapplying the crypto map under Branch's Serial 0/0 interface then the Branch has established the VPN connectivity with the 2ns set peer

Request someone to help me solve this problem!


Keshava Raju

[email protected]

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion