Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN with HSRP and SSO

Hi,

I'm trying to configure VPN with HA using HSRP & SSO and everyting works fine but I have some doubts.

                            (192.168.0.1)     R1    (10.0.0.1)------------\

                           /                                                           \

R4(192.168.0.4)--- VIP (192.168.0.10)           VIP (10.0.0.10)  -----(10.0.0.3) R3

                           \                                                          /

                             (192.168.0.2)    R2    (10.0.0.2)-----------/

I ping R4 from R3 and and trafic goes through R1 (with higher HSRP priority) and if I shutdown interface on R1 I have to wait 2-4 minutes till the tunnel up between R2<->R3. Meantime I see messages on R2 (~10x) :

*Apr 30 22:09:35.071: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.0.0.3 has no SA and is not an initialization offer

I thought that SSO functionality keeps the information about the neighboor tunnel and can take the role very fast.

My question: is it OK that the process takes couple of minutes or can be something wrong with my SSO configuration ?

redundancy inter-device

scheme standby HA-out

!

!

redundancy

!

!

ipc zone default

association 1

  no shutdown

  protocol sctp

   local-port 5000

    path-retransmit 10

    assoc-retransmit 10

   remote-port 5000

    remote-ip 10.0.0.1

Thank you for any advice

Hubert

Everyone's tags (4)
461
Views
0
Helpful
0
Replies