Ipsec on router (with HSRP failover) doesn't work after failover
This made me really scratch my head!
Here I am first trying to put a picture of the scenario:
This looks cool, whats the problem ?
Well, the problem is I have R1 and R2 running as HSRP peers. I have SLA monitoring going on to even check Internet connectivity, if Internet connectivity goes down, it will failover.
R1 and R2 both have a tunnel with R3. Under normal circumstances both R1 and R2 show the tunnel is UP and Active and I can reach the remote end subnets from both R1 and R2 when sourced it from inside interface.
Lets say there is some ongoing traffic over the tunnel, for some reason R1 fails and Failover occurs. R2 becomes the active router now and VPN traffic works fine as well.
Lets say there is no ongoing traffic over the tunnel and for some reason R1 fails and Failover occurs.
R2 becomes active router now. Now if we try to initiate the traffic for the tunnel it won't work, you wait as long as you want, it just won't work. (Clearing the session was the only thing that will make it work : clear crypto session)
ON R2:
==========
So when I further investigated, found that "sh cry ipsec sa peer 3.3.3.3" shows me encaps increasing but no decaps.
It starts making some sense now. So we are doing encaps and sending to peer , but peer is not sending it back to us. WHY ?
Let's take a look at the R3:
=====================
"Sh cry isa sa" on R3 shows that the tunnel is still UP with R1 and there are Ipsec as well. And its doing encap for peer 1.1.1.1 which is no longer alive, but this router R3 doesn't know that.
Now the question comes, why doesn't R3 know R1 has gone down?
DPD : Dead peer Detection
On R3 : sh run | in keepalive
crypto isakmp keepalive 30 5
Router supports two kind of keep-alives : 1. On-Demand DPD and 2. Periodic
This document really helped me to understand these two different keep alives :
https://supportforums.cisco.com/document/32546/dead-peer-detection
DPD is disabled by default on Cisco routers. The default mode is "on-demand" if not specified.
Here is how did I fix it:
==================
Changed the keepalive mode to periodic:
conf t
crypto isakmp keepalive 30 5 periodic
Voila!
Thanks to periodic keep-alive feature.
Here I am first trying to put a picture of the scenario:
This looks cool, whats the problem ?
Well, the problem is I have R1 and R2 running as HSRP peers. I have SLA monitoring going on to even check Internet connectivity, if Internet connectivity goes down, it will failover.
R1 and R2 both have a tunnel with R3. Under normal circumstances both R1 and R2 show the tunnel is UP and Active and I can reach the remote end subnets from both R1 and R2 when sourced it from inside interface.
Lets say there is some ongoing traffic over the tunnel, for some reason R1 fails and Failover occurs. R2 becomes the active router now and VPN traffic works fine as well.
Lets say there is no ongoing traffic over the tunnel and for some reason R1 fails and Failover occurs.
R2 becomes active router now. Now if we try to initiate the traffic for the tunnel it won't work, you wait as long as you want, it just won't work. (Clearing the session was the only thing that will make it work : clear crypto session)
ON R2:
==========
So when I further investigated, found that "sh cry ipsec sa peer 3.3.3.3" shows me encaps increasing but no decaps.
It starts making some sense now. So we are doing encaps and sending to peer , but peer is not sending it back to us. WHY ?
Let's take a look at the R3:
=====================
"Sh cry isa sa" on R3 shows that the tunnel is still UP with R1 and there are Ipsec as well. And its doing encap for peer 1.1.1.1 which is no longer alive, but this router R3 doesn't know that.
Now the question comes, why doesn't R3 know R1 has gone down?
DPD : Dead peer Detection
On R3 : sh run | in keepalive
crypto isakmp keepalive 30 5
Router supports two kind of keep-alives : 1. On-Demand DPD and 2. Periodic
This document really helped me to understand these two different keep alives :
https://supportforums.cisco.com/document/32546/dead-peer-detection
DPD is disabled by default on Cisco routers. The default mode is "on-demand" if not specified.
Here is how did I fix it:
==================
Changed the keepalive mode to periodic:
conf t
crypto isakmp keepalive 30 5 periodic
Voila!
Thanks to periodic keep-alive feature.
0 comments:
Post a Comment