the standby supervisor learns from the active supervisor all the routing information this is the meaning of stateful.
So when switchover happens the standby doesn't start from nothing but takes control of linecards and attempts to pretend to be the same device with all neighbors
"Configuration information and data structures are synchronized from the active to the redundant supervisor engine at startup and whenever changes to the active supervisor engine configuration occur. Following an initial synchronization between the two supervisor engines, SSO maintains state information between them, including forwarding information.
During switchover, system control and routing protocol execution is transferred from the active supervisor engine to the redundant supervisor engine. The switch requires between 0 and 3 seconds to switchover from the active to the redundant supervisor engine."
Anyone try IPSEC with SSO on 3925 IOS 15.2 (or 15.4) , I spent almost two weeks (follow instruction as attached whitepaper) but no luck. This is instruction is ok with cisco3725 (IOS 12.4).
But when I tried on 3925, the standby router seem to delete IPsec SA that received from HA Manager.
I've show redundancy states , show redundancy inter-device and debug result on standby router(VPN2)...as below..
VPN2#sh redundancy states Load for five secs: 1%/0%; one minute: 0%; five minutes: 0% Time source is hardware calendar, *15:54:06.591 BKK Wed Oct 22 2014 my state = 8 -STANDBY HOT peer state = 13 -ACTIVE Mode = Duplex Unit ID = 0
Maintenance Mode = Disabled Manual Swact = cannot be initiated from this the standby unit Communications = Up
SSO allows you to keep all Line Card interfaces UP/UP during the switchover so your neighbors will not bring down their routing adj because of an interface flap.
SSO is associated to NSR (Non Stop Routing) which freezes the cef table on the LC. As a reminder all the transit traffic is switched by the LC. So NSR allows a de-synchronization between the control plane and the forwarding plane during the switchover. It's important because you lost your control plane during the switchover.
The last piece is GR support of IGP/BGP and LDP so when your standby becomes active, it will request the help of its routing peers to re-build its control plane without dropping the adj
You need all those pieces to achieve 0-3s packets lost during a switchover. NSR is activated as soon as SSO is UP and Running but you need to configure GR for your routing protocols.
I configured SSO on a 3925 IOS 15.1 using a doc that wat titled Stateful Failover for IPsec. I am not using IPsec so I did not configure the IPsec part. However, my goal is maintain state information between my two routers in an active/standby pairing. The routers both are configured for NAT so the standby must maintain the state informatio present on the active router. Will SSO provide what I seek? I can not seem to find any information in SSO for 3900 ISR routers that dont include IPsec.
On those lower platform, SSO is per feature only. So SSO for IPSec can't be used for other feature like NAT. For NAT we used to have SNAT (Stateful NAT) but it has been deprecated and SNAT is now only supported on ASA paltform
Introduction: The "external-out enable" command is available for
configuration under the "router ospf process" in case of the IOS-XR
operating system. This command basically enables advertisement of
intra-area routes on the device as external routes in th...
Introduction Basic configuration for netflow Scale parameters for
netflow Netflow support Architecture Packet flow for netflow Inside the
LC CPU Netflow Cache size, maintenance and memory Sample usage Cache
Size Aging Permanent cache Characteristics Which...