I have a remote site with two 800 series routers configured with HSRP on WAN and LAN (VLAN interfaces, 2 to be exact). I have a site-to-site VPN terminating at our HO on an ASA 5500 series. I have configured the routers as per "Cisco High Availability Solution: Stateful Failover for IPsec", configuration guide, with the VPN terminating on the HSRP VIP on the remote site.
All works fine with HSRP and the VPN, with failover happening between the primary and standby routers. the only problem I have is that I am unable to access (i.e. ping, ssh), the standby router on its internal VLAN IP across the VPN from our HO. On the Local LAN at the remote site I can access it fine, but not from HO and I assume it has to do with the fact that the Standby router is either trying to create a tunnel for this traffic, classifying it as interesting on the VPN access-list, although debugs show no attempt at creating a tunnel or its a routing issue.
Have not really setup any HSRP VPN setups but was wondering what does the standby routers routing table show? Does it have a route towards the network which is trying to form the management connection to it?
The document you mention doesnt really list any routing related configurations other than a static route for the remote network behind the L2L VPN connection and even that in this case is pointing towards the WAN address. I guess in the example it makes sense if either the LAN or WAN interface fails the traffic from the LAN start moving through the other device when it becomes active in the HSRP.
But in a situation where you have both the HSRP routers in operation and the network is in normal state I would imagine you need dynamic routing between the 2 routers. I guess if the Primary router would advertice a default route to the Secondary router then it should atleast be able to forward the return traffic for the management connections to the router that has the L2L VPN connection formed.
I am not sure if the lack of routing is the cause for the problem but I would naturally start by checking that.
I actually forgot to mention that, as I also thought the exact same, so I added a higher metric to my existing default static route pointing out the WAN interface and also created a static entry pointing to the VLAN VIP with the default metric and that did not work.
what I have also tried was setting the default route to point to the physical IP of the VLAN interface of the Active router without success.
Does the fact that I have a router on a stick have anything to do with it, in that the port I need to route traffic to is a switchport and not a routed port.
routing table is simple, just a default static route pointing out to WAN gateway, and Locally connected networks for the 2 VLANs. all traffic essentially goes across the VPN to HO.
Gateway of last resort is 0.0.0.0 to network 0.0.0.0
S* 0.0.0.0/0 is directly connected, GigabitEthernet0 10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks C 10.9.0.0/24 is directly connected, Vlan2 L 10.9.0.246/32 is directly connected, Vlan2 C 10.9.1.0/24 is directly connected, Vlan3 L 10.9.1.246/32 is directly connected, Vlan3 126.96.36.199/8 is variably subnetted, 2 subnets, 2 masks C 188.8.131.52/29 is directly connected, GigabitEthernet0 L 184.108.40.206/32 is directly connected, GigabitEthernet0
I have also attached a diagram depicting the scenario.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :