VPN and HSRP interesting problem

Unanswered Question
Feb 15th, 2009


I am facing a quite interesting problem with VPN and HSRP.

Attached you can find a draft topology of the scenario.

Every office has two routers: Main and secondary. All routers have fixed IP address.

The Central Site main router has a VPN Site-to-Site connection with the main routers of the Branch offices. The idea is to have Secondary routers VPN set, by the time they become active in their HSRP domain.

HSRP is being used on all sites. At all sites, the object tracked (VPN Network) is being used to decrement the HSRP values and change it to the secondary router.

At the Central Site, Reverse Route Injection is being used to inject the VPN route into the OSPF domain, so the firewall can route correctly to the branch offices, in case the secondary router becomes active in HSRP.

The problem:

At the remote site, I am tracking the reachability of the VPN Network at the routing table, so if the main router does not have this route, it decrements by 10 its priority and in theory the secondary router becomes active. And here resides my problem for the following reasons:

- if I decrement by 10 (default), the secondary router will also be tracking the VPN Network reachability and since its VPN will not be up, it will have the same priority of the main router (90) at the time of the VPN of the main router fails. The main router has the highest IP address and will be active always and the secondary router wont preempt and the VPN will not be set using the secondary router.

- if I use other values greater than the default, the secondary routers become active, however if their VPN fails at the secondary router, the main router will never become active again, because they will have a lower priority than the main router.

Any further information, please, let me know.

Any idea is deeply appreciated.

Thanks in advance,

Marcelo Pinheiro

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Ivan Martinon Mon, 02/16/2009 - 07:13

Hi Marcelo,

Perhaps tracking the vpn reachability is not a very good idea this due to the fact that your vpn going down could be caused by the fact that the remote peer(s) are not answering back to you in which case you will be causing the hsrp routers to get confused. I believe the best practices for hsrp and tracking is to track the point of failure of the router itself which would be the next hop ip address (ISP), the routers interfaces (links) and so on. HTH

m.pinheiro Mon, 02/16/2009 - 08:23

Hi Ivan,

Thanks for your quickly reply. I have already tried monitoring the ISP IP or the router interface. The problem is: If I track any other object, I would never get to know if the remote peer (either the central or remote site) is up and the traffic flow will end up going one way (main router) and coming back through the secondary router. I thought about tracking the VPN Route, because DPD is enabled on both routers and they all will get to know that it is time to switch to the secondary router.

Is there any other way to associate the VPN status with HSRP?

Thank you once more.


This Discussion