Hi All, that document is about something different to my original question. It discusses IPSec Stateful HA with HSRP on the headend routers where I am doing something more basic and moving the redundancy configuration to the remote device through the use of backup server IP for fallback so to speak.
Sorry I can't post the configuration as I was doing this some time ago and have since deleted it but all I can say is that what I was trying to achieve worked with an ASA 5505 but not with the class IPSec SW client. The SW client required manual reinitiation of the tunnel where the ASA does reconnected to the other headend router. Anyway, I am happy to leave it at that on the assumption it should would with the client though it wasn't doing that with me. Thanks for the input. Ben On Tue, May 15, 2012 at 12:58 PM, Bruno Silva <[email protected]> wrote: > Hi Piotr and Ben, > > Piotr, I do agree with your hint on the IPSEC HA, but this feature is not > available to all platforms as the documment bellow states: > > > http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper0900aecd80278edf.html > > What may be the problem here is the hardware not supporting the > configuration. > > What do u guys think? Or better, Ben, by reading this doc can u say that > your hardware supports it? > > Enviado via iPhone > > Em 14/05/2012, às 17:44, "Piotr Matusiak" <[email protected]> escreveu: > > Once again coz I missed that you stated that you use HA config. It > should work for both HW and SW client. > SW client will not drop the tunnel but should now send the traffic to > second router (now HSRP Active). This router should handle those packets if > IPSec HA is correctly configured. > If you see something different, please post your config. > Also note that IPSec HA is not supported with DVTI and PKI. > > Regards, > Piotr > > > *From:* Ben Shaw <[email protected]> > *Sent:* Monday, May 14, 2012 7:56 PM > *To:* Bruno Silva <[email protected]> > *Cc:* [email protected] > *Subject:* Re: [OSL | CCIE_Security] IOS IPSec HA with HSRP and RRI > > Thanks for the input Piotr. > > Bruno, regarding your query, the same question could also be proposed to > when the hardware client is used. In that scenario the VIP is still up, > though it has been moved to the secondary router, yet the HW client still > detects a failure of the VPN tunnel itself, through DPD or keepalives and > then tries to restablish the tunnel automatically. > > The SW client though doesn't detect this tunnel failure. Even though the > VIP is up, I would have hoped it would have been smart enough to detect > that the tunnel is down and attempt reconnection, this time to secondary > router, but it doesn't seem to be able to and just times out. > > Thanks > Ben > > On Tue, May 15, 2012 at 2:02 AM, Bruno Silva <[email protected]> wrote: > >> Correct if I am wrong Piotr but the reason why the client will not >> reconnect automatically is because the VIP will still up because it changed >> to the stand-by router. The problem here is that since the routers are not >> statefull they will not replicate their VPN connections so the VPN session >> will not be present on the new active router. But since the VIP is still up >> the client will not detect that the active router has changed. >> >> >> 2012/5/14 Piotr Matusiak <[email protected]> >> >>> Hi Ben, >>> >>> Software client will not reconnect automatically. You must manually >>> click to connect again. >>> HW client has a mode called ‘auto’ so that it continously tries to >>> reconnect. >>> >>> Regards, >>> Piotr >>> >>> >>> *From:* Ben Shaw <[email protected]> >>> *Sent:* Saturday, May 05, 2012 4:09 PM >>> *To:* [email protected] >>> *Subject:* [OSL | CCIE_Security] IOS IPSec HA with HSRP and RRI >>> >>> Hi All >>> >>> I am labbing up a couple of 1800s to use in a stateless HA pair for >>> IPSec/Easy VPN. At the moment I am using crypto maps. >>> >>> Targeting the HSRP address of the 1800s, my 871 Easy VPN client detects >>> when the tunnel goes down as a result of the HSRP VIP changing to the >>> secondary 1800 when an interface fails on the primary 1800. When the >>> interface comes back and preempt causes the HSRP roles to change back, the >>> 871 client again detects the dead peer and recreates a tunnel to the active >>> 1800. >>> >>> I am wondering though if this can be done with the IPSec Client? I am >>> connecting to the same group with the IPSec client and when I failover the >>> HSRP routers the clients tunnel eventually just times out but it does not >>> automatically try and reconnect like the 871 does. Should I expect this to >>> occur or is this automatic reconnection unique to hardware VPN tunnels? >>> >>> Thanks >>> Ben >>> ------------------------------ >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >>> _______________________________________________ >>> For more information regarding industry leading CCIE Lab training, >>> please visit www.ipexpert.com >>> >>> Are you a CCNP or CCIE and looking for a job? Check out >>> www.PlatinumPlacement.com >>> >> >> >> >> -- >> Bruno Silva >> Network Consultant >> Cisco CCNA/CCDA/CCNP/CCDP/CCSP Certified >> Arcsight Professional Certified - ACIA/ACSA >> >> > ------------------------------ > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
