Help with VPN high-availability with HSRP

From: Kal Han (calikali2006@gmail.com)
Date: Fri Nov 24 2006 - 01:36:04 ART

• Next message: Ming Ki Au: "Re: About OSPF area authentication (IELAB Vol. 2 Lab 3)"
• Previous message: haducbinh: "OSPF bug"
• Next in thread: Jens Petter: "RE: Help with VPN high-availability with HSRP"
• Maybe reply: Jens Petter: "RE: Help with VPN high-availability with HSRP"
• Maybe reply: Petr Lapukhov: "Re: Help with VPN high-availability with HSRP"
• Maybe reply: Kal Han: "Re: Help with VPN high-availability with HSRP"
• Maybe reply: Jens Petter: "RE: Help with VPN high-availability with HSRP"
• Maybe reply: Kal Han: "Re: Help with VPN high-availability with HSRP"
• Maybe reply: Kal Han: "Re: Help with VPN high-availability with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi
I am trying to setup VPN HA using hsrp.
(R1 is active router and R2 is standby )
after I configure everything, only half of my traffic is working fine.
The standby router is always the problem !
Out of two routers as part of ha, only one is actually able to successfully
encrypt and decrypt the traffic. The other (standby router ) is in
R2#sh cry isa sa
dst src state conn-id slot
195.1.112.10 195.1.112.12 *MM_NO_STATE* 1 0

type of state.

*Ping Output looks like this*
3750-Switch#ping 195.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
*.!.!. ( <------------------------------------ )*

Not sure whats wrong, and why the second router is not able to build up the
tunnel.
Has anyone seen this kind of problem ?

I am running OSPF thru out the network, and I am using EIGRP to redistribute
the static routes created by "reverse-route injection"

On my active router:
R1#sroute stat
     172.16.0.0/24 is subnetted, 2 subnets
S 172.16.2.0 [1/0] via 195.1.112.10 *<---- from my crypto access-list*
R1#

*On my standby router*

R2#sroute stat

*R2# <<<<<<< NO static routes seen here. >>>>>>*

I am attaching both the router configs.

Any help is really appreciated. I tried this multiple times over the
period of time. I had the same problem always. I am doing something
wrong. I looked online help but couldnt progress much further.

*R1#sh cry isa sa
dst src state conn-id slot
195.1.112.12 195.1.112.10 QM_IDLE 1 0
*

*R2#sh cry isa sa
dst src state conn-id slot
195.1.112.10 195.1.112.12 MM_NO_STATE 1 0*

R1#sh run
Building configuration...

Current configuration : 2461 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
logging queue-limit 100
!
memory-size iomem 10
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authentication login NONE none
aaa authorization auth-proxy default group tacacs+
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip auth-proxy auth-cache-time 15
ip auth-proxy name AP http
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cceisec address 195.1.112.10
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ts esp-des esp-sha-hmac
!
crypto map cm 10 ipsec-isakmp
 set peer 195.1.112.10
 set transform-set ts
 match address 180
 reverse-route
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
interface Loopback0
 ip address 11.11.11.11 255.255.255.0
!
interface FastEthernet0/0
 ip address 195.1.123.1 255.255.255.0
 ip ospf message-digest-key 1 md5 cciesec
 duplex auto
 speed auto
!
interface FastEthernet0/1
 ip address 195.1.112.1 255.255.255.0
 ip auth-proxy AP
 ip ospf message-digest-key 1 md5 cciesec
 ip ospf priority 255
 duplex auto
 speed auto
 standby ip 195.1.112.12
 standby priority 105
 standby preempt
 standby name HI
 crypto map cm redundancy HI
!
router eigrp 123
 redistribute static
 network 195.1.112.0
 network 195.1.123.0
 no auto-summary
!
router ospf 1
 router-id 11.11.11.11
 log-adjacency-changes
 no capability lls
 area 0 authentication message-digest
 network 11.11.11.0 0.0.0.255 area 0
 network 195.1.112.0 0.0.0.255 area 0
 network 195.1.123.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
ip classless
ip tacacs source-interface Loopback0
!
!
!
access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
!
tacacs-server host 195.1.112.100 key mykey
tacacs-server directed-request
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication NONE
line aux 0
line vty 0 4
 login authentication NONE
!
!

************************************************************

************************************************************

R2#sh run
Building configuration...

Current configuration : 2479 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
logging queue-limit 100
!
memory-size iomem 10
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authentication login NONE none
aaa authorization auth-proxy default group tacacs+
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip auth-proxy auth-cache-time 15
ip auth-proxy name AP http
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
 hash md5
 authentication pre-share
 group 2
crypto isakmp key cceisec address 195.1.112.10
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ts esp-des esp-sha-hmac
!
crypto map cm 10 ipsec-isakmp
 set peer 195.1.112.10
 set transform-set ts
 match address 180
 reverse-route
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
 ip address 22.22.22.22 255.255.255.0
!
interface FastEthernet0/0
 ip address 195.1.123.2 255.255.255.0
 ip ospf message-digest-key 1 md5 cciesec
 duplex auto
 speed auto
!
interface Serial0/0
 no ip address
 shutdown
 no fair-queue
!
interface FastEthernet0/1
 ip address 195.1.112.2 255.255.255.0
 ip auth-proxy AP
 ip ospf message-digest-key 1 md5 cciesec
 duplex auto
 speed auto
 standby ip 195.1.112.12
 standby preempt
 standby name HI
 crypto map cm redundancy HI
!
router eigrp 123
 redistribute static
 network 195.1.112.0
 network 195.1.123.0
 no auto-summary
!
router ospf 1
 router-id 22.22.22.22
 log-adjacency-changes
 no capability lls
 area 0 authentication message-digest
 network 22.22.22.0 0.0.0.255 area 0
 network 195.1.112.0 0.0.0.255 area 0
 network 195.1.123.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
ip classless
ip tacacs source-interface Loopback0
!
!
!
access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
!
tacacs-server host 195.1.112.100 key mykey
tacacs-server directed-request
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
 exec-timeout 0 0
 logging synchronous
 login authentication NONE
line aux 0
line vty 0 4
 login authentication NONE
!
!
end

R2#

• Next message: Ming Ki Au: "Re: About OSPF area authentication (IELAB Vol. 2 Lab 3)"
• Previous message: haducbinh: "OSPF bug"
• Next in thread: Jens Petter: "RE: Help with VPN high-availability with HSRP"
• Maybe reply: Jens Petter: "RE: Help with VPN high-availability with HSRP"
• Maybe reply: Petr Lapukhov: "Re: Help with VPN high-availability with HSRP"
• Maybe reply: Kal Han: "Re: Help with VPN high-availability with HSRP"
• Maybe reply: Jens Petter: "RE: Help with VPN high-availability with HSRP"
• Maybe reply: Kal Han: "Re: Help with VPN high-availability with HSRP"
• Maybe reply: Kal Han: "Re: Help with VPN high-availability with HSRP"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART