Thanks for the input Piotr. Bruno, regarding your query, the same question could also be proposed to when the hardware client is used. In that scenario the VIP is still up, though it has been moved to the secondary router, yet the HW client still detects a failure of the VPN tunnel itself, through DPD or keepalives and then tries to restablish the tunnel automatically.
The SW client though doesn't detect this tunnel failure. Even though the VIP is up, I would have hoped it would have been smart enough to detect that the tunnel is down and attempt reconnection, this time to secondary router, but it doesn't seem to be able to and just times out. Thanks Ben On Tue, May 15, 2012 at 2:02 AM, Bruno Silva <[email protected]> wrote: > Correct if I am wrong Piotr but the reason why the client will not > reconnect automatically is because the VIP will still up because it changed > to the stand-by router. The problem here is that since the routers are not > statefull they will not replicate their VPN connections so the VPN session > will not be present on the new active router. But since the VIP is still up > the client will not detect that the active router has changed. > > > 2012/5/14 Piotr Matusiak <[email protected]> > >> Hi Ben, >> >> Software client will not reconnect automatically. You must manually click >> to connect again. >> HW client has a mode called ‘auto’ so that it continously tries to >> reconnect. >> >> Regards, >> Piotr >> >> >> *From:* Ben Shaw <[email protected]> >> *Sent:* Saturday, May 05, 2012 4:09 PM >> *To:* [email protected] >> *Subject:* [OSL | CCIE_Security] IOS IPSec HA with HSRP and RRI >> >> Hi All >> >> I am labbing up a couple of 1800s to use in a stateless HA pair for >> IPSec/Easy VPN. At the moment I am using crypto maps. >> >> Targeting the HSRP address of the 1800s, my 871 Easy VPN client detects >> when the tunnel goes down as a result of the HSRP VIP changing to the >> secondary 1800 when an interface fails on the primary 1800. When the >> interface comes back and preempt causes the HSRP roles to change back, the >> 871 client again detects the dead peer and recreates a tunnel to the active >> 1800. >> >> I am wondering though if this can be done with the IPSec Client? I am >> connecting to the same group with the IPSec client and when I failover the >> HSRP routers the clients tunnel eventually just times out but it does not >> automatically try and reconnect like the 871 does. Should I expect this to >> occur or is this automatic reconnection unique to hardware VPN tunnels? >> >> Thanks >> Ben >> >> ------------------------------ >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > > > > -- > Bruno Silva > Network Consultant > Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified > Arcsight Professional Certified - ACIA/ACSA > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
