Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

ipsec failover without loosing session

hi all ,

I've heard that it was possible to perform failover ipsec without loosing sessions

with ios/ipsec routers and tunnel and routing protocol.

How does it works,

do i need hsrp on inside and outside?

how can i detect if ipsec tunnel on router 1 is down? and force the second one

to become active router?

A sample config or link would be useful.


Cisco Employee

Re: ipsec failover without loosing session

Stateful failover of IPSec is not available as yet in IOS, although they are talking about it. The best you cna do at the moment is point your IPSec router to a HSRP address at the head-end, and then use the following:

Note the "crypto map redundancy option on the interface.

Community Member

Re: ipsec failover without loosing session

Hi ,

Just setting this up myself ! The only IOS that supports HSRP and VPN tunnels is , I believe , 12.2-8.T5 but this will NOT permit stateful tracking of the IPSEC tunnel so if the HSRP group changes you will loose all current sessions .Try looking for IPsec VPN high Availablility Enhancements under ver 12.2 but unless this feature is migrated to other IOS releases I would suspect some other form of HSRP/VPN offering is on the way .This feature permits tracking of a Crypto map to an HSRP name and sends keepalives to ensure tunnels are torn down and re-established on the new HSRP master .

Good luck !


CreatePlease to create content