Once again coz I missed that you stated that you use HA config. It should work
for both HW and SW client.
SW client will not drop the tunnel but should now send the traffic to second
router (now HSRP Active). This router should handle those packets if IPSec HA
is correctly configured.
If you see something different, please post your config.
Also note that IPSec HA is not supported with DVTI and PKI.
Regards,
Piotr
From: Ben Shaw
Sent: Monday, May 14, 2012 7:56 PM
To: Bruno Silva
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] IOS IPSec HA with HSRP and RRI
Thanks for the input Piotr.
Bruno, regarding your query, the same question could also be proposed to when
the hardware client is used. In that scenario the VIP is still up, though it
has been moved to the secondary router, yet the HW client still detects a
failure of the VPN tunnel itself, through DPD or keepalives and then tries to
restablish the tunnel automatically.
The SW client though doesn't detect this tunnel failure. Even though the VIP is
up, I would have hoped it would have been smart enough to detect that the
tunnel is down and attempt reconnection, this time to secondary router, but it
doesn't seem to be able to and just times out.
Thanks
Ben
On Tue, May 15, 2012 at 2:02 AM, Bruno Silva <[email protected]> wrote:
Correct if I am wrong Piotr but the reason why the client will not reconnect
automatically is because the VIP will still up because it changed to the
stand-by router. The problem here is that since the routers are not statefull
they will not replicate their VPN connections so the VPN session will not be
present on the new active router. But since the VIP is still up the client will
not detect that the active router has changed.
2012/5/14 Piotr Matusiak <[email protected]>
Hi Ben,
Software client will not reconnect automatically. You must manually click
to connect again.
HW client has a mode called ‘auto’ so that it continously tries to
reconnect.
Regards,
Piotr
From: Ben Shaw
Sent: Saturday, May 05, 2012 4:09 PM
To: [email protected]
Subject: [OSL | CCIE_Security] IOS IPSec HA with HSRP and RRI
Hi All
I am labbing up a couple of 1800s to use in a stateless HA pair for
IPSec/Easy VPN. At the moment I am using crypto maps.
Targeting the HSRP address of the 1800s, my 871 Easy VPN client detects
when the tunnel goes down as a result of the HSRP VIP changing to the secondary
1800 when an interface fails on the primary 1800. When the interface comes back
and preempt causes the HSRP roles to change back, the 871 client again detects
the dead peer and recreates a tunnel to the active 1800.
I am wondering though if this can be done with the IPSec Client? I am
connecting to the same group with the IPSec client and when I failover the HSRP
routers the clients tunnel eventually just times out but it does not
automatically try and reconnect like the 871 does. Should I expect this to
occur or is this automatic reconnection unique to hardware VPN tunnels?
Thanks
Ben
----------------------------------------------------------------------------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
_______________________________________________
For more information regarding industry leading CCIE Lab training, please
visit www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
--
Bruno Silva
Network Consultant
Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified
Arcsight Professional Certified - ACIA/ACSA
--------------------------------------------------------------------------------
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
