Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPSec VPN Resilience Solutions

I have read the article on building resilient IPsec solution:

http://www.cisco.com/warp/public/cc/so/neso/vpn/vpne/vpne_an.htm

However it seems not to work so good for me. I have 2-2621 access router that I am terminating several remote GRE tunnels into these routers. I am able to have two active GRE tunnels from each access router into each remote location, however I cannot have both active with IPsec. It seems that IPsec does not support load balancing or load sharing.

When I follow this example and watch the debug [debug cry is & ip & en] when I apply it to the interface I still see both tunnels connecting however only one access router is able to encrypt and decrypt [sh cry en conn ac] the other router just says that it encrypts and the remote router just says that encrypts but never decrypts.

I think the problem is that both tunnels want to be active and unencrpted packets are being sent to the remote router it is sending encrypted messages to the truely active access router, while the truely active access router is sending and receiving encrypted messages but the messages it send are getting discarded somehow. Maybe this can be resolved by forcing one tunnel to be active by weighing the routes in EIGRP; that way if it goes down then the other tunnel will go active. What do you folks think?

1 REPLY
Bronze

Re: IPSec VPN Resilience Solutions

Have you had the chance to talk to Cisco yet? It looks like you’re running into a bug.

304
Views
0
Helpful
1
Replies
CreatePlease login to create content