Weird VPN problem when switch over to secondary headend router
I have a weird one here that I have encountered several times though I want to try to get to the bottom of it.
I have two head end (HQ) routers that connect to numerous spokes. Each spoke has two "set peer" command in the "crypto map STEVE 1 ipsec-isakmp" menu. All spokes terminate on one headend router and the other is used for backup (with HSRP on the LAN client side). I use preshared keys.
All of this works fine. I have a ping going between a host at the Headend and a host on the spurs. I then switch off the primary headend router. What happens is that the ping stops and times out. However, if I then start a ping from the spur back to the client, everything starts to work again!!! It is almost as if the return path needs to be "requested" by the ping from the remote site. I am using straightforward crtypto maps here with preshared keys. Dead simple. I have noticed this on several occasions with different software. I am using 12.2.15.T5 at the moment.
Another thing. I have also used the HSRP redundancy feature since my "WAN" links are ethernet microwave links. Therefor the "WAN" uses a HSRP virtual adfdress referenced in the crypto map of the spurs. This works fine and is configured with preshared keys. Dead simple. However, I notice that oit can take about thrity seconds for the pings to come back if I power off the active headend router. I cannot see a way to get this time down. I have HSRP set up at the headend so that the "encryting" router is always the gateway router by tracking. Any ideas guys?
Re: Weird VPN problem when switch over to secondary headend rout
I think what you are running into is probably a MAC learning issue. The ping from the host at the headend is forwarded by the switch to a port on which the primary router is connected. When the primary goes down, the standby router takes over the IP and the MAC. However, it takes time for the MAC to be unlearnt by the switch (5 minutes by default). You will remain disconnected till the MAC is timed out or till such time it is heard on another port (the one on which the standby router is connected). I guess aging the MAC faster might help. Depending on your platform, you might have to use the 'set cam agingtime' or 'mac-address-table aging-time' command for doing this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :