Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

IPSec SAs never come up when the HSRP pair is forced to failover on a Cisco router

 

Introduction:

This document describes a scenario where user is facing issue involving IPSec SA's and HSRP.

 


What is HSRP?

HSRP stands for Hot Standby Router Protocol. It is a Cisco proprietary protocol which is used for implementing redundancy. Efficency is nearly 100 percent availability and redundancy of router. So, if the primary router goes down, the backup router will take over the routing functions running in primary router.

 

If user is not using Cisco devices then there are other industry protocols which are supported by Cisco. Industry standards are mentioned below:

  • Virtual Router Redundancy Protocol (VRRP)
  • Gateway Load Balancing Protocol (GLBP){Cisco proprietary} an alternative for HSRP

 

How does HSRP work?

HSRP defines that a routers can be primary or standby when HSRP is configured and running. For eg:

 

We have 2 routers R1(Primary) and R2(Secondary) If R1 fails to send HELLO packet to R2 for a defined duration of time, R2 will assume that R1 is down and change over takes place. R2 will make use of the virtual IP address and responds to a virtual Ethernet MAC address which is assigned a virtual IP..

 

R1 & R2 routers keep exchanging HSRP HELLO packets with each other which ensures both router are working and in sync. HELLO packets are multicasted using IP 224.0.0.2 and UDP port 1985. IOS 10.0 supports HSRP, but IOS version 11 and 12 provides the updated release of HSRP.

 

Note: For implementing router redundancy, user is not limited to only 2 routers. In fact, user can create a group of routers working together and have multiple "standby" routers

Core issue

Crypto maps get disabled when changes are made to the Hot Standby Router Protocol (HSRP) configuration on the router.

 

Resolution

Try to manually clear the IPSec Security Associations (SAs) on the primary router. If that does not help, remove the crypto maps from the interfaces where HSRP is defined, and re-apply them.

When you change HSRP configuration with crypto maps applied, re-apply the crypto maps after the changes.

 

For more information, refer to the Configuring HSRP with IPSec section of IPSec VPN High Availability Enhancements.

 

Problem Type

Connectivity to the device

Troubleshoot software feature

Product Family

Routers

 

Manifestation

Does not start

 

Frequency

Continuously

 

Cisco IOS Software Version

12.3

12.1

12.2

VPN Tunnel End Points

Router

 

Selected PIX or Router Commands

debug

 

VPN Protocols

IPSec

 

VPN Tunnel Initialization

IPSec session is not established

Version history
Revision #:
2 of 2
Last update:
‎08-23-2017 09:04 PM
Updated by:
 
Labels (1)
Contributors