Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

HSRP Track VPN

Hey guys,

I have two 6500's with FWSM's. The 6500's have a VPN connection from each to a PIX for VPN between two sites.

The route out of the FWSM is the HSRP of the two 6500's so while both connections are up there's no problem. However, if one VPN connection goes down then although the other one is there it isn't used because the traffic is still sent to the other switch. The problem is that sometimes the VPN connection goes but the actual interface is still up.

Is there any way for me to get HSRP to track the VPN connection or a better way of doing things?

Cheers,

Anthony

19 REPLIES
Hall of Fame Super Blue

Re: HSRP Track VPN

Anthony

It's not entirely clear what your topology is ie.

you have an FWSM in each 6500. The outside interfaces of the FWSM's share a vlan with the 6500 and there are L3 SVI's for this vlan on teh MSFC. You have static routes ??, pointing to the HSRP VIP on the FWSMs.

Are the FWSMs running in active/standby or active/active ?

After that its a bit unclear.

"The 6500's have a VPN connection from each to a PIX for VPN between two sites."

Do you mean the 6500 switches have VPN cards or does the VPN start at the pix ?

"The route out of the FWSM is the HSRP of the two 6500's so while both connections are up there's no problem. However, if one VPN connection goes down ..."

So are you running 2 VPN connections at the same time and if so how do you ensure return traffic always comes back down the same tunnel.

If you are running 2 VPN connections are the pix firewalls active/active ?

Jon

New Member

Re: HSRP Track VPN

Hey Jon,

Thanks for the reply.

You're pretty much right, two FWSM's, one in each 6500 running active/standby. They have a static route to the HSRP of the outside VLAN from FWSM to 6500.

The 6500's don't have VPN cards. Each 6500 has it's own VPN connection from their 'Internet' interface.

The PIX is active/standby too, so both 6500's connect to the same PIX in effect.

I think my issue here really is how I get the traffic to return the right way if one of the tunnels disappears.

Could I use PBR to check the tunnel and make a decision based on that somehow?

Thanks for the help!

Anthony

Hall of Fame Super Blue

Re: HSRP Track VPN

Anthony

PBR together with IP SLA was indeed going to be my suggestion if it fitted in with your topology.

Apologies for being a but thick ! but you say -

"The 6500's don't have VPN cards. Each 6500 has it's own VPN connection from their 'Internet' interface."

My understanding what that without additional cards the 6500 switches will not support VPNs so i am a bit confused.

Jon

New Member

Re: HSRP Track VPN

Hey Jon,

Firstly, I've read many of your answers on here and you're far from 'thick'!!

What's IP SLA? And how would you suggest getting PBR to work out if the VPN connection is up or not?

I'm using the 6500 to run IPSEC VPN? I have an interface on each Supervisor that's connected to the internet (two different ISP's, not BGP'd) and the tunnel terminates on each - does that make sense?

I did this because the FWSM's don't support VPN's...

Cheers!

Hall of Fame Super Blue

Re: HSRP Track VPN

Anthony

Okay, i don't think we need PBR just IP SLA and HSRP track. Here's an example of how this would work -

6500 HSRP active switch

ip sla monitor 1

type echo protocol ipIcmpEcho

ip sla monitor schedule 1 life forever start-time now

track 10 rtr 1 reachability

int vlan 10

ip address 192.168.5.2 255.255.255.0

standby ip 10 192.168.5.1

standby ip 10 pri 110

standby ip 10 preempt

standby 10 track 10 decrement 20

6500 HSRP standby switch

int vlan 10

ip address 192.168.5.3 255.255.255.0

standby 10 ip 192.168.5.1

standby 10 priority 100

standby 10 preempt <-- very important you include this

So what the above will do is the HSRP active switch will ping an IP address at far end of the VPN tunnel. If that ip address responds within the specified timeout fine. If it doesn't the switch will take 20 off the priority making it's HSRP priority 90. This is less than the standby switches priority and so the standby switch takes over the HSRP duties.

Note that you will need to modify the timeout for the ping as it is going down a VPN tunnel. Do some ping tests to gt an idea of the sort of timeout you need.

One other thing. Depending on your 6500 IOS it may either be "ip sla ..." commands or the previous version "ip rtr ..." commands.

Does this sound like a workable solution ?

Jon

New Member

Re: HSRP Track VPN

Hey Jon,

It all looks good for a final setup but unfortunately I don't have RIPE addresses yet and no BGP so if I just fail the HSRP of that 'outside FWSM' VLAN accross then although the VPN traffic will be fine all other traffic will fail because it will be going out as the wrong IP address.

Is there a way for PBR to use IP SLA to check the far end and then route accordingly? So PBR on switch one sees it's tunnel is down so routes to switch 2 but all other non-vpn traffic would continue to use switch 1?

Your solution will work if the ISP's don't care about the source address as the route back will still be up, so I need to check that out.

Thanks again,

Anthony

Hall of Fame Super Blue

Re: HSRP Track VPN

Anthony

"Is there a way for PBR to use IP SLA to check the far end and then route accordingly? So PBR on switch one sees it's tunnel is down so routes to switch 2 but all other non-vpn traffic would continue to use switch 1?"

Yes, as long as you can define the vpn traffic as opposed to the non-VPN traffic.

Do the VPN and non-VPN traffic both come from behind the FWSM ?

I have a PBR/IP SLA lab setup on my laptop somewhere !!, so i'll try and dig it out.

I'm assuming that if we redirect VPN traffic to switch 2 it will then have routes that send the traffic over the VPN tunnel ie. it won't send it back to switch 1.

Jon

New Member

Re: HSRP Track VPN

Sounds like you might be onto something Jon!

Everything does come from behind the FWSM but it doesn't NAT the traffic that goes via the VPN so it's easy to differentiate. So, in this case anything destined for 10.1.0.0 goes via VPN, anything else goes out via the internet.

Switch two has the same access-list for VPN so will know to send that same traffic to the VPN tunnel if it arrives there.

I look forward to the configuration!!

Cheers,

Anthony

Hall of Fame Super Blue

Re: HSRP Track VPN

Anthony

Okay, that took a bit longer than i thought !, couldn't find lab so i created a new one.

For this example

HSRP active 6500 = CS1

HSRP standby 6500 = CS2

remote IP to ping - 192.168.5.10

CS1 next hop for all traffic + VPN traffic if 192.168.5.10 responds to a ping = 10.6.1.1

CS1/FWSM shared vlan IP = 10.5.1.2 - VIP 10.5.1.1

CS2/FWSM shared vlan IP = 10.5.1.3 - VIP 10.5.1.1

CS1 config

ip sla monitor 1

type echo protocol IcmpEcho 192.168.5.10

ip sla monitor schedule 1 life forever start-time now

ip sla monitor 2

type echo protocol IcmpEcho 10.5.1.3

ip sla monitor schedule 2 life forever start-time now

track 1 rtr 1

track 2 rtr 2

int vlan 10 (this is the shared FWSM vlan)

ip policy route-map PBR

access-list 101 permit ip any 10.1.0.0 0.0.0.255

route-map PBR permit 10

match ip address 101

set ip next-hop verify-availability 10.6.1.1 10 track 1

set ip next-hop verify-availability 10.5.1.3 20 track 2

What this does -

CS1 pings 192.168.5.10. As long as it is up then traffic for both the VPN and normal traffic is sent to 10.6.1.1.

If 192.168.5.10 stops responding then all traffic destined for 10.1.0.0 is sent to 10.5.1.3 instead where 10.5.1.3 is CS2. CS2 should then send the traffic via VPN.

Normal traffic is not affected and is still sent via 10.6.1.1

Now it worked in the lab but you would definitely want to either test this yourself or if you don't have the kit, implement out of hours and test. The PBR and IP SLA stuff works fine but i'm not entirely sure how the VPN will react. I didn't test with VPNs as i was using dynamips and my IOS doesn't have the IPSEC feature.

Hopefully the above makes sense. You may need to tweak it to fit your environment.

Let me know how you get on.

Jon

New Member

Re: HSRP Track VPN

Hey Jon,

Thanks for that. I do have a test environment so will put it together and give it a go.

Will let you know how it goes.

Thanks for all the help!

Anthony

New Member

Re: HSRP Track VPN

Hey Jon,

I'm really struggling to find an image that has both IPSec and the IP SLA functions. I'm looking at the list of features and it's saying it should have both (I can see a feature group called IP SLAs is that right?) but when I load it up I can only do the IPSec stuff. Wierd.

Do you have any ideas?

Cheers,

Anthony

Hall of Fame Super Blue

Re: HSRP Track VPN

Anthony

Which IOS version are you currently using ?

Jon

New Member

Re: HSRP Track VPN

Hey,

I'm currently on:

IOS (tm) s72033_rp Software (s72033_rp-IPSERVICESK9-M), Version 12.2(18)SXF9

(s72033-ipservicesk9-mz.122-18.SXF9.bin)

I've also tried:

IOS (tm) s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(18)SXF17, RELEASE SOFTWARE (fc1)

(s72033-adventerprisek9_wan-mz.122-18.SXF17.bin)

Anthony

Hall of Fame Super Blue

Re: HSRP Track VPN

Anthony

Yes, according to feature navigator it should support IP SLA - what command are you trying to enter and what are you seeing ?

Jon

New Member

Re: HSRP Track VPN

Hey,

From your mail I figured the command was a global one so I've been trying the following and this is what I see:

testsw1(config)#ip s?

sap scp security slb source

source-route ssh sticky-arp subnet-zero

Am I missing something?

Thanks,

Anthony

Hall of Fame Super Blue

Re: HSRP Track VPN

Anthony

Just out of interest could you post output of

testsw1(config)# ip r?

Jon

New Member

Re: HSRP Track VPN

ok, no probs:

testsw1(config)#ip r?

radius rcmd reflexive-list route rsvp

rtcp rtp

Anthony

Hall of Fame Super Blue

Re: HSRP Track VPN

Anthony

SXF supports rtr which is the predecessor of ip sla and supports most of the functionality -

http://www.cisco.com/en/US/docs/ios/ipsla/command/reference/sla_03.html#wp1023731

If you actually want to use IP SLA you need to look at 12.2SXH but then you also need to make sure SXH still supports all your other needed features.

Jon

New Member

Re: HSRP Track VPN

ok, thanks - I'll update the IOS and let you know how it goes...

Cheers for the help!

Anthony

430
Views
0
Helpful
19
Replies
CreatePlease to create content