Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

VPN with backup peers & DPD

Hi,

I'm having some problems with Cisco 870 routers connected to Cisco ASA 5550 firewalls via the internet and IPSEC L2L VPN's. The 870 router establishes a tunnel to the default peer without a problem. The crypto map has 4 entries so depending on the traffic being sent through the 870 router there can be up to 4 SPI's using that tunnel

The problem is as follows:

As the underlying connectivity is via the Internet, every now and then we see that the router establishes a tunnel to the backup peer (123.44.55.66). When this happens I end up with two active tunnels, with at least one SPI still active on the default tunnel peer. The problem I have is that on the other end of these tunnels, when the VPN is created to the backup peer it uses RRI to advertise the 870's LAN into our core network. Traffic from the Core will be routed via the backup VPN, but traffic from the 870 can still use the default VPN to send traffic. Asymmetric traffic then breaks connectivity for the site.

So the problem I see is that the 870 router (using DPD) should only ever have one tunnel up, if it detects a problem with that one it should tear it down and establish a tunnel to the backup peer. Traffic would then by symmetric.

Does anyone have any ideas? Any clues why both tunnels stay up?

Cheers

3 REPLIES
New Member

VPN with backup peers & DPD

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsa46834&from=summary

CSCsa46834 seems to describe the problem exactly, but affected versions only show 12.3, we're running

12.4(15)T7

Re: VPN with backup peers & DPD

You need to introduce IP-SLA and track object, to monitor route availability and base on return value, the router will push the traffic either one of the tunnel path.

Please review the config on this thread below and you may want to change it reflect your setup.

https://supportforums.cisco.com/thread/2034251

thanks

New Member

Re: VPN with backup peers & DPD

Hi rizwanr74

Thanks for the reply. I don't think that applies here, each client only has a single Internet connection so there is no routing changes required. The redundancy we're looking for is on the ASA firewall endpoint, by having the default peer and then a 2nd peer if that is unavailable. DPD should detect if the default peer is unavailable, tear down the tunnel and then establish to the 2nd peer. We are not seeing the tearing down take place.

Cheers

1373
Views
0
Helpful
3
Replies