6500 with FWSM, VPN SPA, stateful failover configuration problem
Hi all, I need to warn you that I'm kind of new to the Cisco world, and of course my introduction has been a little rough.
I've been trying to configure a pair of 6500's with FWSM's and VPN SPA's in them to work together in a stateful active/standby configuration. The kicker is that I'm also using VRF. I've attached a diagram of the architecture I'm dealing with.
If you refer to the diagram, my problems are:
- from the test PC I have in the private VLAN (VLAN 298) behind the FWSM I can ping all the interfaces on both 6500's all the way through until I reach the VPN SPA and then I cannot ping any further. I am unable to reach my ISP's HSRP interface or any other addresses in the network behind those interfaces.
- from each 6500 they are unable to ping the other's "public" addresses that are on the same subnet as my ISP's routers.
- the State-Syncronization-Protocol (SSP) channel is not connecting.
- a test VPN to a peer that is behind my ISP's routers is not initiating. It's not even attempting a key exchange.
If you've looked at the diagram you may be wondering about the purpose of the connection I have from gi1/2 to gi1/3. This is a crossover cable that connects the gi1/3 routed port to a gi1/2 switchport that is a member of my public VLAN (VLAN 40). Originally I had my public VLAN as the public interface on the VPN SPA. While my SSP channel did connect and both 6500's could ping each other on that VLAN interface, I was still unable to ping my ISP's routers and my VPN wasn't coming up. So I switched to using a physical interface as my public interface on the VPN SPA (gi1/3) because this is closer to the example that I based my configuration on.
I based a lot of my configuration using the VRF-Aware IPSec Chassis-to-Chassis Stateful Failover example in the Configuration Catalyst 6500 Series Switch SIP, SSC, and SPA Software Configuration Guide (page 25-208). The configurations look pretty close, and I've attached them here for your inspection.
If anyone has any ideas on where I might be going wrong I'd be eternally greatful. I have a project that is going to depend on these and my window for testing is closing pretty rapidly. And I do have a TAC call in right now, but it's been over 3 weeks without resolution. :(
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...