Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ipsec failover without loosing session

Unanswered Question
Oct 7th, 2002
User Badges:

hi all ,

I've heard that it was possible to perform failover ipsec without loosing sessions

with ios/ipsec routers and tunnel and routing protocol.

How does it works,

do i need hsrp on inside and outside?

how can i detect if ipsec tunnel on router 1 is down? and force the second one

to become active router?

A sample config or link would be useful.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
gfullage Mon, 10/07/2002 - 22:30
User Badges:
  • Cisco Employee,

Stateful failover of IPSec is not available as yet in IOS, although they are talking about it. The best you cna do at the moment is point your IPSec router to a HSRP address at the head-end, and then use the following:


Note the "crypto map redundancy option on the interface.

mjbriggs Thu, 11/07/2002 - 09:52
User Badges:

Hi ,

Just setting this up myself ! The only IOS that supports HSRP and VPN tunnels is , I believe , 12.2-8.T5 but this will NOT permit stateful tracking of the IPSEC tunnel so if the HSRP group changes you will loose all current sessions .Try looking for IPsec VPN high Availablility Enhancements under ver 12.2 but unless this feature is migrated to other IOS releases I would suspect some other form of HSRP/VPN offering is on the way .This feature permits tracking of a Crypto map to an HSRP name and sends keepalives to ensure tunnels are torn down and re-established on the new HSRP master .

Good luck !



This Discussion