11-28-2007 08:21 AM - edited 02-21-2020 03:24 PM
I need help from experts in this forum:
I have a pair of Cisco VXR7206 running IOS version
c7200-jk9s-mz.124-10a.bin. I setup this pair of
routers for stateful IPSec failover. In other words,
if the Active router is rebooted, the standby router
will take over and the VPN tunnel will stay up. The
remote VPN peer only sees the HSRP of this device.
The VPN is up and running but on the standby router,
these commands show up nothing. Not only that, when
I reboot the Active router the VPN tunnel goes down.
Any ideas?
PLN_VPN_1#sh stand
FastEthernet0/0 - Group 10
State is Standby
1 state change, last state change 00:22:11
Virtual IP address is 10.109.114.99
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec (cfgd 15 sec), hold time 10 sec (cfgd 45 sec)
Next hello sent in 0.524 secs
Authentication text "EXTERNAL"
Preemption enabled
Active router is 10.109.114.101, priority 100 (expires in 9.296 sec)
Standby router is local
Priority 100 (default 100)
Track interface FastEthernet1/0 state Up decrement 10
IP redundancy name is "EXTERNAL" (cfgd)
FastEthernet1/0 - Group 20
State is Standby
1 state change, last state change 00:22:11
Virtual IP address is 10.250.97.1
Active virtual MAC address is 0000.0c07.ac14
Local virtual MAC address is 0000.0c07.ac14 (v1 default)
Hello time 3 sec (cfgd 15 sec), hold time 10 sec (cfgd 45 sec)
Next hello sent in 0.524 secs
Authentication text "INTERNAL"
Preemption enabled
Active router is 10.250.97.3, priority 100 (expires in 9.628 sec)
Standby router is local
Priority 100 (default 100)
Track interface FastEthernet0/0 state Up decrement 10
IP redundancy name is "INTERNAL" (cfgd)
PLN_VPN_1#sh crypto ha
IKE VIP: 10.109.114.99
stamp: Not set
IPSec VIP: 10.109.114.99
PLN_VPN_1#sh crypto isakmp sa
dst src state conn-id slot status
PLN_VPN_1#sh crypto ipsec sa stand
No SAs found
PLN_VPN_1#sh crypto session stand
PLN_VPN_1#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet0/0
Session status: DOWN
Peer: 198.147.10.193 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit ip 10.250.97.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0
Interface: FastEthernet0/0
Session status: DOWN
Peer: 10.109.114.101 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 132 host 10.109.114.100 port 5000 host 10.109.114.101 port 5000
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 728 life (KB/Sec) 0/0
IPSEC FLOW: permit 132 host 10.109.114.100 port 5001 host 10.109.114.101 port 5001
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 728 life (KB/Sec) 0/0
PLN_VPN_1#
Can some help? Thanks
11-28-2007 08:23 AM
PLN_VPN_2#sh stand
FastEthernet1/0 - Group 10
State is Active
2 state changes, last state change 00:34:28
Virtual IP address is 10.109.114.99
Active virtual MAC address is 0000.0c07.ac0a
Local virtual MAC address is 0000.0c07.ac0a (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.052 secs
Authentication text "EXTERNAL"
Preemption enabled
Active router is local
Standby router is 10.109.114.100, priority 100 (expires in 7.276 sec)
Priority 100 (default 100)
Track interface FastEthernet1/1 state Up decrement 10
IP redundancy name is "EXTERNAL" (cfgd)
FastEthernet1/1 - Group 20
State is Active
2 state changes, last state change 00:34:28
Virtual IP address is 10.250.97.1
Active virtual MAC address is 0000.0c07.ac14
Local virtual MAC address is 0000.0c07.ac14 (v1 default)
Hello time 3 sec, hold time 10 sec
Next hello sent in 2.388 secs
Authentication text "INTERNAL"
Preemption enabled
Active router is local
Standby router is 10.250.97.2, priority 100 (expires in 7.276 sec)
Priority 100 (default 100)
Track interface FastEthernet1/0 state Up decrement 10
IP redundancy name is "INTERNAL" (cfgd)
PLN_VPN_2#sh crypto isakmp sa
dst src state conn-id slot status
198.147.10.193 10.109.114.99 QM_IDLE 1 0 ACTIVE
PLN_VPN_2#sh crypto ha
IKE VIP: 10.109.114.99
stamp: A7 84 38 8C C5 64 49 F6 F7 9A 35 40 FE 33 F1 FB
IPSec VIP: 10.109.114.99
PLN_VPN_2#sh crypto session detail
Crypto session current status
Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, X - IKE Extended Authentication
Interface: FastEthernet1/0
Session status: UP-ACTIVE
Peer: 198.147.10.193 port 500 fvrf: (none) ivrf: (none)
Phase1_id: 198.147.10.193
Desc: (none)
IKE SA: local 10.109.114.99/500 remote 198.147.10.193/500 Active
Capabilities:(none) connid:1 lifetime:23:27:22
IPSEC FLOW: permit ip 10.250.97.0/255.255.255.0 192.168.1.0/255.255.255.0
Active SAs: 2, origin: crypto map
Inbound: #pkts dec'ed 172406 drop 0 life (KB/Sec) 4393312/1899
Outbound: #pkts enc'ed 172406 drop 2 life (KB/Sec) 4393312/1899
Interface: FastEthernet1/0
Session status: DOWN
Peer: 10.109.114.100 port 500 fvrf: (none) ivrf: (none)
Desc: (none)
Phase1_id: (none)
IPSEC FLOW: permit 132 host 10.109.114.101 port 5000 host 10.109.114.100 port 5000
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 1031 life (KB/Sec) 0/0
IPSEC FLOW: permit 132 host 10.109.114.101 port 5001 host 10.109.114.100 port 5001
Active SAs: 0, origin: crypto map
Inbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
Outbound: #pkts enc'ed 0 drop 1031 life (KB/Sec) 0/0
PLN_VPN_2#ping 10.109.114.100
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.109.114.100, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms
PLN_VPN_2#
11-28-2007 08:45 AM
did you try the "redundancy standby-group-name stateful" command under your crypto ipsec profile?
regards,
juergen
11-28-2007 09:36 AM
that command is NOT needed. I added it in
anyway but it still does not work.
I would like to get opinions from experts who
actually deploy this in their production
enviroments and verify that this crap from
cisco is actually working as claimed by Cisco.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide