cancel
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
547
Views
0
Helpful
2
Replies

HSRP and Site to Site VPN

jodamus112
Level 1
Level 1

Hi

I have a remote site with two 800 series routers configured with HSRP on WAN and LAN (VLAN interfaces, 2 to be exact). I have a site-to-site VPN terminating at our HO on an ASA 5500 series. I have configured the routers as per "Cisco High Availability Solution: Stateful Failover for IPsec", configuration guide, with the VPN terminating on the HSRP VIP on the remote site.

All works fine with HSRP and the VPN, with failover happening between the primary and standby routers. the only problem I have is that I am unable to access (i.e. ping, ssh), the standby router on its internal VLAN IP across the VPN from our HO. On the Local LAN at the remote site I can access it fine, but not from HO and I assume it has to do with the fact that the Standby router is either trying to create a tunnel for this traffic, classifying it as interesting on the VPN access-list, although debugs show no attempt at creating a tunnel or its a routing issue.

Any assistance is appreciated and thanking you.

2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

 

Have not really setup any HSRP VPN setups but was wondering what does the standby routers routing table show? Does it have a route towards the network which is trying to form the management connection to it?

 

The document you mention doesnt really list any routing related configurations other than a static route for the remote network behind the L2L VPN connection and even that in this case is pointing towards the WAN address. I guess in the example it makes sense if either the LAN or WAN interface fails the traffic from the LAN start moving through the other device when it becomes active in the HSRP.

 

But in a situation where you have both the HSRP routers in operation and the network is in normal state I would imagine you need dynamic routing between the 2 routers. I guess if the Primary router would advertice a default route to the Secondary router then it should atleast be able to forward the return traffic for the management connections to the router that has the L2L VPN connection formed.

 

I am not sure if the lack of routing is the cause for the problem but I would naturally start by checking that.

 

Hope this helps :)

 

- Jouni

 

Hi Jouni,

 

Thanks for the response.

I actually forgot to mention that, as I also thought the exact same, so I added a higher metric to my existing default static route pointing out the WAN interface and also created a static entry pointing to the VLAN VIP with the default metric and that did not work.

what I have also tried was setting the default route to point to the physical IP of the VLAN interface of the Active router without success.

Does the fact that I have a router on a stick have anything to do with it, in that the port I need to route traffic to is a switchport and not a routed port.

routing table is simple, just a default static route pointing out to WAN gateway, and Locally connected networks for the 2 VLANs. all traffic essentially goes across the VPN to HO.

Gateway of last resort is 0.0.0.0 to network 0.0.0.0

S*    0.0.0.0/0 is directly connected, GigabitEthernet0
      10.0.0.0/8 is variably subnetted, 4 subnets, 2 masks
C        10.9.0.0/24 is directly connected, Vlan2
L        10.9.0.246/32 is directly connected, Vlan2
C        10.9.1.0/24 is directly connected, Vlan3
L        10.9.1.246/32 is directly connected, Vlan3
      1.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        1.1.1.0/29 is directly connected, GigabitEthernet0
L        1.1.1.2/32 is directly connected, GigabitEthernet0
 

I have also attached a diagram depicting the scenario.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: