Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2162
Views
0
Helpful
5
Replies

HSRP IPSec stateful failover on Cisco 2800 platform

bartholomiew
Level 1
Level 1

‎03-27-2012 02:44 AM - edited ‎02-21-2020 05:58 PM

Hello

I have 2 C2811 ISRs runnning

c2800nm-advsecurityk9-mz.124-15.T17.bin

and having on board:

1 Virtual Private Network (VPN) Module

My question is: is it possible to enable IPSec stateful failover (or switchover, SSO) between these boxes?

I'm quite confused at the moment because I get different infos from Cisco sources.

First, I tried to run this manual:

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/white_paper_c11_472859.html

All commands were accepted, but failover doesn't seem to be statefull (I loose connection for few seconds and VPNs are reestabilishing)

Then I found here:

http://www.cisco.com/en/US/docs/ios/12_2/12_2y/12_2yx11/feature/guide/ft_vpnha.html#wp1092416

that this feature is supported only on 7200 platforms

On the other hand, here (page 5):

http://www.cisco.com/en/US/prod/collateral/routers/ps5854/prod_qas0900aecd80516d81.pdf

states that also 3800 platform supports this feature.

I went to FN, and there I noticed the separation between:

a) "Stateful Failover for IPSec" which is supported on my platform:

and

b) "IPSec Statefull Failover" which is supported only on 7200 and 6000 platforms

Whats the difference then between:

a) "Stateful Failover for IPSec"

and

b) "IPSec Statefull Failover"

?

Additionally I noticed the following log after enabling the configuration for SSO:

*Mar 27 09:32:41.151: %CRYPTO_HA_IPSEC-4-CRYPTO_HA_NOT_SUPPORTED_BY_HW: Crypto hardware is enabled and it does not support HA operation 'IPSec - extract keys'

Log disappears after issuing command:

no crypto engine onboard 0

but SSO still doeasn't work like it should.

I'd appreciate any clarification in this matter.

Thanks

Bartek

Labels:
0 Helpful
5 Replies 5

david.tran
Level 4
Level 4

‎03-27-2012 04:34 AM

When I tried this back in 2008, I found that that the SSO method is not as reliable as you would think.  If  you really want something stable, I would suggest the followings:

1- GRE/IPSec.  This method, you will always have Active/Active VPN tunnel.  You control via dynamic routing or GRE.  In this method, both sides must support GRE/IPSec but all sites do NOT have to be Cisco devices,

2- DMVPN.  this is also reliable as well.  In this method, all sites must be Cisco,

0 Helpful

bartholomiew
Level 1
Level 1
In response to david.tran

‎03-27-2012 05:58 AM

We considered both solutions that you mention but IPSec HA would be the best for us. If this will not work we consider one of them again.

In the mean time I noticed that on my C2800 cluster I can see standby IPSec and ISAKMP SAs on my standby node:

router#sh cry isakmp sa standby

IPv4 Crypto ISAKMP SA

dst             src             state          conn-id slot status

IP1  IP2  QM_IDLE           1002    0 STDBY

router#sh cry ipsec sa standby

....

Status: STANDBY

....

This would point that the IPSec HA is working somehow.

Maybe it's working, but (as David said) not so perfectly statefull as it should (because during failover stateful conections and few pings are lost).

Regards

BK

0 Helpful

bartholomiew
Level 1
Level 1
In response to bartholomiew

‎03-30-2012 07:57 AM

one more thing which would confirm that IPSec HA is working on these C2800 - after failover I can see such log on the standby node:

*Mar 30 14:53:42.356: %HSRP-5-STATECHANGE: FastEthernet0/0 Grp 5 state Standby -> Active

*Mar 30 14:53:42.364: %CRYPTO-5-IKE_SA_HA_STATUS: IKE sa's if any, for vip  "MY VIP" will change from STANDBY to ACTIVE

*Mar 30 14:53:42.364: %CRYPTO-5-IPSEC_SA_HA_STATUS: IPSec sa's if any, for vip  "MY VIP" will change from STANDBY to ACTIVE

But still this log..

*Mar 27 09:32:41.151: %CRYPTO_HA_IPSEC-4-CRYPTO_HA_NOT_SUPPORTED_BY_HW:  Crypto hardware is enabled and it does not support HA operation 'IPSec -  extract keys'

SO maybe IOS supports this feature but hardware not and eventhough it works it will not be efficient due to fact that whole crypto job will be done by CPU?

B

0 Helpful

a.mallory
Level 1
Level 1

‎09-19-2012 02:02 PM

I recently had this same problem. The issue appears to be that your hardware doesn't support an operation required by the HA feature for IPSec. If you don't have a lot of traffic and running this in software is acceptable you might want to try this command from global config mode

"no crypto engine software ipsec"

This will allow the software to handle vpn functionality.

Read this for a better explanation:

http://www.cisco.com/en/US/docs/ios/12_3t/12_3t14/feature/guide/gt_dhcef.html

0 Helpful

olpeleri
Cisco Employee
Cisco Employee

‎09-19-2012 11:15 PM

Hello,

IPSEC HA uses the SSO Framework. In order to replicate the IPSEC phase II between both boxes, you need a

AIM-VPN/SSL-2 in each device.

This is documented over here:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-2mt/sec-state-fail-ipsec.html#GUID-484562B6-A113-4901-A630-37869F8494D8

In fact, instead of using the legacy crypto-maps, you should 2 VTI's on both routers. Then using a routing protocol, you would have load-balancing AND failover capabilities [ based on the routing protocol convergence]. That would be your prefered solution.

Cheers,

Olivier - CCIE Security#20306

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents