Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN problem with crypto map redundancy


I can successfully start up a vpn connection with non redundancy crypto map on interface.

If I change interface crypto map setting from "crypto map VPNs" to "crypto map VPNs redundancy EXT-VIP" the phase 2 of VPN tunnel can't be established anymore.

debug crypto shows following messages:
CEST: IPSEC(ipsec_process_proposal): invalid local address

IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local=, remote=,

Seems that the reason for this problem is that ipsec communication will use HSRP VIP and not not loopback0 address which should be used because of crypto map VPNs local-address Loopback0.

System Information:

Cisco IOS Software, C3900 Software (C3900-UNIVERSALK9-M), Version 15.0(1)M3, RELEASE SOFTWARE (fc2)

The configuration looks as follows:

crypto map VPNs local-address Loopback0
crypto map VPNs 1 ipsec-isakmp
description VPN-Tunnel-01
set peer
set security-association idle-time 3600
set transform-set ESP-3DES-MD5
match address VPN-01

interface Loopback0
ip address

interface GigabitEthernet0/0
  ip address
ip access-group debug_ext in
ip access-group debug_ext out
duplex auto
speed auto
standby 2 ip
standby 2 priority 150
standby 2 preempt
standby 2 name EXT-VIP
standby 2 track 1 decrement 110
standby 2 track 2 decrement 110
crypto map  VPNs redundancy EXT-VIP
crypto map  VPNs

Hopefully I will find a solution here.

Thanks & Regards,



Re: VPN problem with crypto map redundancy

You have to use HSRP IP for VPN tunnel endpoint IP if you would like to implement this redundancy. That is how the redundancy works.

Just remove the "crypto map VPNs local-address Loopback0" and reconfigure the remote end to point to HSRP IP.

New Member

Re: VPN problem with crypto map redundancy


thank you for the reply.

Is it possible to use address translation on VIP to loopback address to get this working.

I have not enough space in address range of VPN peer address to use this for HSRP.



Re: VPN problem with crypto map redundancy

You can use NAT. I am not sure how your setup is. But I think you might have to do the NAT on the device in front of this two HSRP routers.