Using backup servers is a different approach to what I am doing and should be used when the redundant headend routers are not running HSRP between them.
Considering I am running HSRP and targetting the VIP, their is no backup routers to target, the VIP itself provides the HA. Now yes, the VIP will still be up when a HSRP failover occurs but the tunnel will go down and in my tests it seems only the HW client detects the tunnel failure and reconnects to the VIP which is now hosted by the secondary. The software client doesn't perform the automatic reconnection to the VIP when a tunnel fails. But I am not sure if this is a limitation of the client or if considering the limited configurability of the IPSec SW client it can be configured to operate any differently. On Sun, May 6, 2012 at 6:12 AM, Kingsley Charles <[email protected] > wrote: > Yes, it can get backup list from the EzVPN server or local configuration. > > Now why should it jump to those backup servers, when the VIP is still > alive? > > With regards > Kings > > > On Sun, May 6, 2012 at 12:32 AM, Ben Shaw <[email protected]> wrote: > >> I am targetting the VIP address and also thought it would work as both >> the HW and SW client are using the Unity Client protocol so as far as I was >> aware are seen the same from the routers perspective. >> >> Do you know for a fact the SW client will do automatic reconnection when >> a tunnel fails do to the primary router going down which will then result >> in a reconnection to the secondary? >> >> >> >> On Sun, May 6, 2012 at 1:54 AM, Kingsley Charles < >> [email protected]> wrote: >> >>> It should work, if you are peering the HSRP address. >>> >>> >>> With regards >>> Kings >>> >>> On Sat, May 5, 2012 at 7:39 PM, Ben Shaw <[email protected]> wrote: >>> >>>> Hi All >>>> >>>> I am labbing up a couple of 1800s to use in a stateless HA pair for >>>> IPSec/Easy VPN. At the moment I am using crypto maps. >>>> >>>> Targeting the HSRP address of the 1800s, my 871 Easy VPN client detects >>>> when the tunnel goes down as a result of the HSRP VIP changing to the >>>> secondary 1800 when an interface fails on the primary 1800. When the >>>> interface comes back and preempt causes the HSRP roles to change back, the >>>> 871 client again detects the dead peer and recreates a tunnel to the active >>>> 1800. >>>> >>>> I am wondering though if this can be done with the IPSec Client? I am >>>> connecting to the same group with the IPSec client and when I failover the >>>> HSRP routers the clients tunnel eventually just times out but it does not >>>> automatically try and reconnect like the 871 does. Should I expect this to >>>> occur or is this automatic reconnection unique to hardware VPN tunnels? >>>> >>>> Thanks >>>> Ben >>>> >>>> _______________________________________________ >>>> For more information regarding industry leading CCIE Lab training, >>>> please visit www.ipexpert.com >>>> >>>> Are you a CCNP or CCIE and looking for a job? Check out >>>> www.PlatinumPlacement.com >>>> >>> >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
