Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

ovt Bronze
Bronze

12.2(15)T Enhanced Object Tracking and IPSec

Hi!

IOS 12.2(15)T introduces Enhanced Object Tracking feature for HSRP.

The question is: is it possible to track status of an IPSec SA? In other

words: is it possible to trigger HSRP switchover when DPD reports that

SA is dead, provided that IPSec and HSRP use _different_ router

interfaces?

The second question: when will IPSec Stateful Failover feature be integrated

into T train? Are there any plans to support stateful failover for Remote-access

VPNs on IOS routers? Are there any plans to support VCA load balancing?

Regards,

Oleg Tipisov,

REDCENTER,

Moscow.

2 REPLIES
Cisco Employee

Re: 12.2(15)T Enhanced Object Tracking and IPSec

High Availability features of IPSec were introduced a little while ago (12.2(13)T), where HSRP and IPSec were integrated somewhat. See http://www.cisco.com/warp/public/707/ipsec_feat.html for config details. It's not true staeful failover, but you get minimal outage (seconds instead of minutes/hours) while the tunnel is built to the second HSRP peer.

As for true stateful failover for IPSec, yes it's certainly being talked about, not sure if it's been committed to a release as yet.

ovt Bronze
Bronze

Re: 12.2(15)T Enhanced Object Tracking and IPSec

This "High Availability" feature was introduced in 12.1(9)E and 12.2(8)T and

requires crypto map to be applied to the *same* interface as HSRP group.

Clearly this is not possible in the vast majority of cases.

I wonder who designed it.

Oleg Tipisov,

REDCENTER,

Moscow

130
Views
0
Helpful
2
Replies
CreatePlease login to create content