Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
1
Replies

Stateful VPN + Cisco VPN Client

ccs_jet_user
Level 1
Level 1

‎06-29-2009 03:34 AM - edited ‎02-21-2020 04:16 PM

Hello!

I have a trouble with stateful VPN configuration and Cisco VPN Client.

My configuration in the attach. Please check it.

So everything seems ok, but when I make Cisco VPN Client connection to standby IP address I see

cisco3825_1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

172.16.4.209 192.40.40.100 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

cisco3825_1#

cisco3825_1#show standby brief

P indicates configured to preempt.

|

Interface Grp Pri P State Active Standby Virtual IP

Fa0/0 1 100 P Active local 10.40.40.3 10.40.40.5

Fa0/1 1 100 P Active local 172.16.4.219 172.16.4.209

But I don't see STBY isakmp connection on the backup device!

cisco3825_2#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

Other output:

From backup device:

cisco3825_2#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

IPv6 Crypto ISAKMP SA

cisco3825_2#show crypto session

Crypto session current status

Interface: FastEthernet0/1

Session status: UP-NO-IKE-STANDBY

Peer: 192.40.40.100 port 2726

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.40.45.2

Active SAs: 4, origin: dynamic crypto map

cisco3825_2#show redundancy inter-device

Redundancy inter-device state: RF_INTERDEV_STATE_STDBY

Scheme: Standby

Groupname: DMZ Group State: Standby

Peer present: RF_INTERDEV_PEER_COMM

Security: Not configured

cisco3825_2#show redundancy states

my state = 8 -STANDBY HOT

peer state = 13 -ACTIVE

Mode = Duplex

Unit ID = 0

Maintenance Mode = Disabled

Manual Swact = Enabled

Communications = Up

client count = 12

client_notification_TMR = 30000 milliseconds

RF debug mask = 0x0

From active device:

cisco3825_1#show standby brief

P indicates configured to preempt.

|

Interface Grp Pri P State Active Standby Virtual IP

Fa0/0 1 100 P Active local 10.40.40.3 10.40.40.5

Fa0/1 1 100 P Active local 172.16.4.219 172.16.4.209

cisco3825_1#show crypto isakmp sa

IPv4 Crypto ISAKMP SA

dst src state conn-id status

172.16.4.209 192.40.40.100 QM_IDLE 1001 ACTIVE

IPv6 Crypto ISAKMP SA

cisco3825_1#show redundancy inter-device

Redundancy inter-device state: RF_INTERDEV_STATE_ACT

Scheme: Standby

Groupname: DMZ Group State: Active

Peer present: RF_INTERDEV_PEER_COMM

Security: Not configured

cisco3825_1#show redundancy states

my state = 13 -ACTIVE

peer state = 8 -STANDBY HOT

Mode = Duplex

Unit ID = 0

Maintenance Mode = Disabled

Manual Swact = Enabled

Communications = Up

client count = 12

client_notification_TMR = 30000 milliseconds

RF debug mask = 0x0

cisco3825_1#show crypto session

Crypto session current status

Interface: FastEthernet0/1

Group: vpn

Assigned address: 10.40.45.2

Session status: UP-ACTIVE

Peer: 192.40.40.100 port 2726

IKE SA: local 172.16.4.209/500 remote 192.40.40.100/2726 Active

IPSEC FLOW: permit ip 0.0.0.0/0.0.0.0 host 10.40.45.2

Active SAs: 4, origin: dynamic crypto map

Please could you check is it ok that we have no isakmp connection on standby device? Are our configuration correct?

Thanks,

Egor.

Labels:
0 Helpful
1 Reply 1

ccs_jet_user
Level 1
Level 1

‎06-29-2009 03:37 AM

Config.txt

Preview file
4 KB
0 Helpful
Customers Also Viewed These Support Documents