EasyVPN Failover

Unanswered Question
Sep 10th, 2010

I am setting up EasyVPN with multipule branches to 2 headends. One headend as primary and the other as secondary. In the branch router I am using DPD for failover. Is there a way to control the fail back timer or manual fail back?

Here is the scenario:

After failover, when I have continuous traffic going towards the secondary, the branch will not fail back. Once the traffic stop it will fail back. With over 100 branches it is very hard for me to manage. Plus I want to fail back off working hours.

crypto ipsec client ezvpn EZVPN-Remote

connect auto

group easyvpn-group key EzVPNkey

mode network-extension

peer 159.208.33.113 default

peer 192.26.212.114

username ccsiadmin password W0rkfr0MH0m3

xauth userid mode local

Thanks for you input.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Lei Tian Sat, 09/11/2010 - 04:11

Hi Joe,

I am afraid the behavior you have experienced is expected. If you want dynamic failover and switch back, you can consider using routing protocol on top VPN.

Regards,

Lei Tian

joe.ho Mon, 09/13/2010 - 15:01

Thanks for the respond. Do you know what is the default timer for the DPD for the failover?

I couldn't find that in the documentation. Will there be a chance base on the IPSec rekey time?

Lei Tian Tue, 09/14/2010 - 03:53

Hi Joe,

The DPD is used to check the peer liveness, and remove isakmp sa for dead peer. There is no default timer; it uses the timer configured by 'crypto isakmp keepalive'.

The  switchback to primary peer happens when the current peer has been idle for some time. This timer is configured by 'set security-association idle-time', and there is no default value.

HTH,

Lei Tian

Ankur Bajaj Tue, 09/14/2010 - 05:29

The failover in this sceniro is either the hub 1 goes down and client connects to hub2

or the primary_wan interface goes down and then the connection goes to sec_want interface and in either case keepalives and idel timer will not kick a new SA as you need routing and in this case you might want to configure ip sla monitoring to track the static routes.

keepalives will clear the stale SA's.

Cheers

joe.ho Tue, 09/14/2010 - 08:10

Hey it's not working.  On head-end I have configured "

crypto isakmp keepalive 20 periodic" on branch I have same config.  Once I kill the outside

interface of the head-end it will not fail over to the backup head-end.

Also after I shutdown interface of head-end you can still see the isakmp ACTIVE on the head-end to the branch site and on the branch site you can still see the isakmp active to the head-end even though the Head-end interface is shut down, this is EasyVPN to clarify.

Lei Tian Tue, 09/14/2010 - 08:19

Hi Joe,

When you shutdown the easyvpn server's interface, do you still have reachability to the peer IP from remote? Do you have active traffic from remote to server?

Regards,

Lei Tian

joe.ho Tue, 09/14/2010 - 08:23

No access to the Peer IP

from remote, yes we do have active traffic from

remote to server.  Were trying to simulate the live environment.  There is a IP phone and thin clinet at remote end which would be creating the traffic (and mangement traffic)

Lei Tian Tue, 09/14/2010 - 08:27

That doesn't sound the right behavior.

Can you post the configure on one of the remote and configure on the server; what are the IOS version running on them?

Regards,

Lei Tian

joe.ho Tue, 09/14/2010 - 08:45

Branch config running IOS c880data-universalk9-mz.124-20.T3.bin

version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
!
hostname Branch_Lab
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
no logging console
enable secret 5 $1$OFnN$.WaaLmnE0H22TZa44RtwG/
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1655380819
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1655380819
revocation-check none
rsakeypair TP-self-signed-1655380819
!
!
crypto pki certificate chain TP-self-signed-1655380819
certificate self-signed 01
  3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
  31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
  69666963 6174652D 31363535 33383038 3139301E 170D3130 30313134 32303239
  33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
  4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36353533
  38303831 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
  81008A78 D1BE2841 CE39F3A6 0BFFE7D7 9BA5D318 0985DD65 C6F5CB1A 97318976
  C6C0F41B CD6FE041 961F3570 0FD2DE1E B61B29AF 82A194B6 E9D780D0 76730E45
  52064B8A E77256B8 9FBEED68 5F93F807 00986F59 CD0C6213 39F9B975 497B546B
  C38A9B8B 47B87C55 BBC9881B B626370A 215F7550 1684D1DE E97C9C02 BA453FAD
  EC210203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
  551D1104 19301782 15427261 6E63682E 796F7572 646F6D61 696E2E63 6F6D301F
  0603551D 23041830 168014B8 7B0B07FD D371366F 0B21264D 3B0EB461 8F085F30
  1D060355 1D0E0416 0414B87B 0B07FDD3 71366F0B 21264D3B 0EB4618F 085F300D
  06092A86 4886F70D 01010405 00038181 0044F2C2 CFF10BFC 66C95D0F 4FEA5C79
  F27D28E1 4F08DF3D 261E0FEA 1F936B5B 7A5C552F 06772947 62CCA6BA 23659488
  A55EA76E 62EDE17E 67D92BDA 4509E889 18344300 CE2D2C27 1A0EE2E6 F7DA3B09
  29A82BE1 E042054A 7953B36E 242B35B1 C90C9AB5 4EABC339 C72D12AF DF004036
  0EEA0F39 8B242732 15940E81 6FC108F7 79
  quit
ip source-route
!
!
ip dhcp excluded-address 10.214.0.1
ip dhcp excluded-address 10.214.0.2
ip dhcp excluded-address 10.214.0.3
ip dhcp excluded-address 10.214.8.1
ip dhcp excluded-address 10.214.8.2
ip dhcp excluded-address 10.214.8.3
!
ip dhcp pool REMOTE_LOCAL_POOL
   network 10.214.8.0 255.255.255.248
   default-router 10.214.8.1
   dns-server x.x.x.x x.x.x.x
   option 161 ascii x.x.x.x
   option 162 ascii /
   lease 33
!
ip cef
no ip domain lookup
ip domain name x.x.x.x
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!

!
crypto isakmp keepalive 20 periodic
!
crypto ipsec security-association idle-time 60
!
!
!
!
crypto ipsec client ezvpn EZVPN-Remote
connect auto
group easyvpn-group key EzVPNkey
mode network-extension
peer x.x.x.x default
peer x.x.x.x
username XXXX password XXXX
xauth userid mode local
!
!
archive
log config
  hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address x.x.x.x 255.255.255.248
ip access-group Internet_R3_In in
ip access-group Internet_R3_Out out
no ip redirects
no ip proxy-arp
speed 100
full-duplex
crypto ipsec client ezvpn EZVPN-Remote
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.214.8.1 255.255.255.248
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1452
no autostate
crypto ipsec client ezvpn EZVPN-Remote inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
no ip http secure-server
!
!
!
ip access-list extended Internet_In
permit udp any eq bootps any eq bootpc
permit tcp any any eq 22
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
deny   ip any any log
ip access-list extended Internet_Out
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq isakmp
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq isakmp
deny   ip any any log
ip access-list extended Internet_R3_In
permit udp any eq bootps any eq bootpc
permit tcp any any eq 22
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
--More--          deny   ip any any log
ip access-list extended Internet_R3_Out
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq isakmp
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq isakmp
ip access-list extended port4000
permit udp any any eq 4000 log
permit tcp any any eq 3389 log
permit udp any any eq 3471 log
permit udp any any eq 9427 log
permit udp any any eq 17185 log
permit udp any any eq 6901 log
permit ip any any
!
logging trap notifications
logging source-interface Vlan1
logging x.x.x.x
access-list 10 permit x.x.x.x 0.0.0.255
access-list 20 permit x.x.x.x
snmp-server community x.x.x.x RO
snmp-server community x.x.x.x RW
snmp-server community x.x.x.x RO 10
snmp-server community x.x.x.x RW 20
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps envmon
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host x.x.x.x  snmp
snmp-server host x.x.x.x  config
snmp-server host x.x.x.x  snmp
snmp-server host x.x.x.x  snmp
snmp-server host x.x.x.x  snmp
snmp-server host x.x.x.x  snmp
no cdp run

!
!
!
!
--More--         !
control-plane
!
!
line con 0
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
end

Head-end config using IOS: c3845-advipservicesk9-mz.124-15.T14.bin

version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname

!
boot-start-marker
boot system flash:c3845-advipservicesk9-mz.124-15.T14.bin
boot-end-marker
!
logging buffered 50000
!
aaa new-model
!
!
aaa authentication login EASYVPN_xauth local
aaa authorization network EasyVPN_author local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3558073547
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3558073547
revocation-check none
rsakeypair TP-self-signed-3558073547
!
!
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip domain name x.x.x.x
ip inspect log drop-pkt
!
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username x.x.x.x
!
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key userx address x.x.x.x
crypto isakmp key userx address x.x.x.x
crypto isakmp key userx address x.x.x.x
crypto isakmp keepalive 20 periodic
!
crypto isakmp client configuration group easyvpn-group
key EzVPNkey
dns x.x.x.x x.x.x.x
domain x.x.x.x
acl Tunnel-Traffic
save-password
crypto isakmp profile IKE-PROFILE
   description PSK group
   match identity group easyvpn-group
   client authentication list EASYVPN_xauth
   isakmp authorization list EasyVPN_author
   client configuration address respond
   client configuration group easyvpn-group
   virtual-template 1
!
crypto ipsec security-association idle-time 60
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC-PROFILE
set transform-set ESP-AES-128-SHA
set isakmp-profile IKE-PROFILE
!
!
crypto map SunLife-MAP 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-128-SHA
match address 100
crypto map SunLife-MAP 2 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-128-SHA
match address 101
crypto map SunLife-MAP 3 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-128-SHA
match address 102
!
archive
log config
  hidekeys
!
!
!
class-map match-any voice_out
match  dscp ef
!
!
policy-map WFH_Traffic
description Prioritize VoIP over VDI Traffic
class voice_out
  priority 100
class class-default
  fair-queue
  random-detect dscp-based
  random-detect dscp 0   15    40  
  random-detect dscp 2   12    40  
  random-detect dscp 4   10    40  
  random-detect dscp 6   8     40  
  random-detect dscp 10   20    40  
policy-map SHAPE
class class-default
  shape average 1500000
  service-policy WFH_Traffic
!
!
!
!
!
interface GigabitEthernet0/0
description OUTSIDE
ip address x.x.x.x 255.255.255.0
ip access-group Internet_In in
ip access-group Internet_Out out
no ip redirects
no ip proxy-arp
duplex full
speed 100
media-type rj45
crypto map SunLife-MAP
!
interface GigabitEthernet0/1
description $ES_LAN$
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
duplex full
speed 100
media-type rj45
!
interface Virtual-Template1 type tunnel
description EasyVPN For PSK Users
ip unnumbered GigabitEthernet0/0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
service-policy output SHAPE
!
router bgp 64534
no synchronization
bgp log-neighbor-changes
network x.x.x.x mask 255.255.255.248
neighbor x.x.x.x remote-as 65005
neighbor x.x.x.x update-source GigabitEthernet0/1
neighbor x.x.x.x version 4
neighbor x.x.x.x next-hop-self
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.65.0.0 255.255.0.0 x.x.x.x
ip route 10.68.0.0 255.255.0.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
!
ip flow-top-talkers
top 20
sort-by bytes
!
no ip http server
no ip http secure-server
!
ip access-list extended Internet_In
permit icmp host x.x.x.x host x.x.x.x
permit icmp host x.x.x.x host x.x.x.x
permit tcp any host x.x.x.x eq 22
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq isakmp
ip access-list extended Internet_Out
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
ip access-list extended Tunnel-Traffic
permit ip any 10.214.0.0 0.0.255.255
!
logging source-interface GigabitEthernet0/1
logging x.x.x.x
access-list 10 permit x.x.x.x 0.0.0.255
access-list 10 permit x.x.x.x 0.0.0.255
access-list 10 permit x.x.x.x 0.0.0.255
access-list 10 permit x.x.x.x 0.0.0.255
access-list 20 permit x.x.x.x
access-list 100 permit ip 10.214.8.0 0.0.7.255 x.x.x.x 0.0.0.255
access-list 100 permit ip host x.x.x.x x.x.x.x 0.0.0.255
access-list 101 permit ip 10.214.0.0 0.0.255.255 x.x.x.x 0.0.0.255
access-list 101 permit ip host x.x.x.x x.x.x.x 0.0.0.255
access-list 102 permit ip 10.214.0.0 0.0.255.255 x.x.x.x 0.0.0.255
access-list 102 permit ip host x.x.x.x x.x.x.x 0.0.0.255
snmp-server community x.x.x.x RW
snmp-server community x.x.x.x RO
snmp-server community x.x.x.x RO 10
snmp-server community x.x.x.x RW 20
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps flash insertion removal
snmp-server enable traps envmon
snmp-server enable traps memory bufferpeak
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps l2tun session
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host x.x.x.x  snmp
snmp-server host x.x.x.x  config
snmp-server host x.x.x.x  snmp
snmp-server host x.x.x.x  snmp
snmp-server host x.x.x.x  snmp
snmp-server host x.x.x.x  snmp
snmp-server host x.x.x.x  snmp
snmp-server host x.x.x.x  snmp
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
--More--         !
!
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
privilege level 15
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
!
end

Lei Tian Tue, 09/14/2010 - 12:55

Hi,


I didn't see any known software defect that matches your case.

One thing you can try is to remove 'crypto ipsec security-association idle-time 60' from the config, and see if that makes any difference.

HTH,

Lei Tian

joe.ho Tue, 09/14/2010 - 13:03

Thanks everyone for your help, we configured the Head-end with "set security-association lifetime seconds 120" in the ipsec profile and "keepalive 20 retry 2" in the isakmp profile so the Branch would have this pushed down to their profile.  To stop the fail back automatically and to have a controlled fail-back later we configured the "idletime" on the branch site..Seems to be working perfectly after multiple tests

Actions

This Discussion

Related Content