Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

ovt Bronze

IPSec high availability and HSRP (IOS 12.2(8)T) - broken by design ?

Hi all!

We have two routers with ethernet (to our LAN) and serial interfaces (each

router goes to a different ISP). HSRP is used on the ethernet interfaces

and both routers accept IPSec tunnels from remote sites on the serial


The question is: how can we integrate HSRP and IPSec, so that if a tunnel

fails and remote site reconnects to the second router (they use DPD)

HSRP also swaps active and standby for a given HSRP group?

Note, that outside interface is a serial interfaces and the following

config does not apply:

Also, is there a way to load balance IPSec tunnels between two routers?

Oleg Tipisov,



New Member

Re: IPSec high availability and HSRP (IOS 12.2(8)T) - broken by

Change your IPSec configuration to GRE multipoint/NHRP and make each of your 2 HSRP routers nodes on the GRE multipoint mesh, using the public Ip addresses of their serial interfaces as the endpoints.

On your spoke routers, add floating static routes to forward the necessary traffic through the VPN to the STANDBY router. Run a routing protocol from your active router to the spoke sites.

In the normal course of operation, the spoke sites will use the dynamically learnt routing information to forward traffic to the active router. Should the active router fail, the dynamically learnt routes will be withdrawn and the spokes will forward to the standby router.

I'm not a fan of load-balancing with 2 devices, as either one of the devices will have to cope with full load anyway should the other fail. If you really want to go down that path you can do this by running a routing protocol between your HSRP routers, dividing your spoke sites into two groups, and having half route to 1 router normally with routing failover to the other etc etc.

I have seen people try to load balance using combinations of cef, RRI multiple crypto routers and IPSec/TED tunnel mode - don't go there

Using GRE and a routing protocol means that you can rely on the routing protocol to detect a dead peer and avoid using isakmp keepalives.

ovt Bronze

Re: IPSec high availability and HSRP (IOS 12.2(8)T) - broken by

Thank you for the replay.

Are there any advantages of using multipoint

GRE with floating-static routes over

point-to-point GRE + EIGRP (OSPF) +

administrative distance to select next hop?

Is it possible to avoid GRE? (I heared that

IPSec+GRE = unreliable in latest IOSes.)

Why do you think that detecting a tunnel

failure with dynamic routing protocol is

better (more reliable?) than with IKE


Why cisco didn't implement the simplest

solution for failover: IKE keepalives +

the command: "standby track "?

(I know, IPsec lacks virtual interface, but...)

Thank you again,

Oleg Tipisov,