seamless migration of cryptomap ipsec setup to vrf aware environment?
hi out there
We are in a migration phase from a vpn router with a non-vrf aware setup to a router with a vrf aware setup. I expected that I was able to do this more or less seamless by adding the wan-interface from the vrf ware router to the same hsrp Group as the non-vrf aware router and the just raise the priority of the vrf aware router when we had a time slot for migrating the environment. But when I added the interface for the vrf aware router to the hsrp Group of the non-vrf aware router the vrf-aware router suddenly started to "mal-function" - it had two other interfaces running with vpn connections and those sessions started to crash.
Since this is a production env I hadn't time to debug what happened but I just quickly rolled-back what I had done and everything looked ok and stable Again. But - can some here give me a guess of what had happened?
the setup I had on the non-vrf aware router was this:
ip address 126.96.36.199 255.255.255.128
standby 68 ip 188.8.131.52 standby 68 priority 110 standby 68 preempt standby 68 authentication xxxx standby 68 name asp
crypto map cm-cvn001 redundancy asp
and on the vrf aware env:
ip address 184.108.40.206 255.255.255.128
vrf forwarding INTERNET3
standby 68 ip 220.127.116.11 standby 68 priority 50 standby 68 preempt standby 68 authentication xxxx standby 68 name asp
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...