VPN with HSRP and SSO

Unanswered Question
Apr 30th, 2012
User Badges:


I'm trying to configure VPN with HA using HSRP & SSO and everyting works fine but I have some doubts.

                            (     R1    (\

                           /                                                           \

R4( VIP (           VIP (  -----( R3

                           \                                                          /

                             (    R2    (

I ping R4 from R3 and and trafic goes through R1 (with higher HSRP priority) and if I shutdown interface on R1 I have to wait 2-4 minutes till the tunnel up between R2<->R3. Meantime I see messages on R2 (~10x) :

*Apr 30 22:09:35.071: %CRYPTO-4-IKMP_NO_SA: IKE message from has no SA and is not an initialization offer

I thought that SSO functionality keeps the information about the neighboor tunnel and can take the role very fast.

My question: is it OK that the process takes couple of minutes or can be something wrong with my SSO configuration ?

redundancy inter-device

scheme standby HA-out






ipc zone default

association 1

  no shutdown

  protocol sctp

   local-port 5000

    path-retransmit 10

    assoc-retransmit 10

   remote-port 5000


Thank you for any advice


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion