I'm trying to configure VPN with HA using HSRP & SSO and everyting works fine but I have some doubts.
(192.168.0.1) R1 (10.0.0.1)------------\
R4(192.168.0.4)--- VIP (192.168.0.10) VIP (10.0.0.10) -----(10.0.0.3) R3
(192.168.0.2) R2 (10.0.0.2)-----------/
I ping R4 from R3 and and trafic goes through R1 (with higher HSRP priority) and if I shutdown interface on R1 I have to wait 2-4 minutes till the tunnel up between R2<->R3. Meantime I see messages on R2 (~10x) :
*Apr 30 22:09:35.071: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.0.0.3 has no SA and is not an initialization offer
I thought that SSO functionality keeps the information about the neighboor tunnel and can take the role very fast.
My question: is it OK that the process takes couple of minutes or can be something wrong with my SSO configuration ?
scheme standby HA-out
ipc zone default
Thank you for any advice