Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

inter-device device redundancy for IPSEC

Hi , I have a pair of 2821 routers which are configured as ipsec hubs with inter-device redundancy . I use 2 interfaces with HSRP "HA-OUT" to terminate ipsec over vti tunnels and 2 interaces on with HSRP "HA-OUT-ENC" for encapsulated IPSEC .Question is now , can I have redundancy inter-device , scheme standby HA-OUT and scheme standby HA-OUT-ENC ?


Re: inter-device device redundancy for IPSEC

The following link discusses about the IPSEC redundancy

The debug dialer and several show command outputs displayed here show the primary link as failed, and dialer watch recognizesthe lost route. The router then initiates the backup link and OSPF converges through the secondary link. Each time the idle timeout expires, the router checks whether the primary link is down. If the primary link is found to be up, dialer watch disconnects the backup link after the disable timer expires and tears down the call, and OSPF converges by way of the primary link as usual

New Member

Re: inter-device device redundancy for IPSEC

Hi ,

I was talking about statefull HA IPSEC redundancy. The problem I have is that you configure an sctp connection between the 2 devices over which they exchange state . This sctp connection is linked with the HSRP group that is configured on the interfaces , but you cannot link it at the same time to a second HSRP group .

redundancy inter-device

scheme standby HA-out

security ipsec sso-secure

you cannot add a second scheme in here

And that is what I'd like to do

New Member

HA IPSEC not on redundancy

HA IPSEC not on redundancy inter-device command.

its in the interface.


interface GigabitEthernet0/0

standby 2 name ISP-B
crypto map VPN redundancy ISP-B stateful

interface GigabitEthernet0/2

standby 1 name ISP-A
crypto map VPN2 redundancy ISP-A stateful