From: Jens Petter (jenseike@start.no)
Date: Fri Nov 24 2006 - 04:59:27 ART
What do you mean by "only half of my traffic is working fine"... only active
router
should send at one time. Only when you shut down primary vpn should standby
come up after the standby hsrp comes up..
How do this have anything to do with the standby router? :
*Ping Output looks like this*
3750-Switch#ping 195.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
*.!.!. ( <------------------------------------ )*
Is this on the standby router??:. Does the tunnel go up/down since you are
getting some packets trough...
Maybe paste in to us the vpn config on the other side also. Check
connectivity, Why
two routing protocols on the same interface?? Why don't you just red that
static direct on to ospf..
I think you have a much more basic problem here than a problem with HA
Now, have you tested the vpn peering between your standby router and
the other side of the vpn.. Don't looks like you have good peering here.
When you set up HA vpn you should first test both vpn peering, make sure
they
work fine and that you get your reverese route up before you start
configuring the HA feature..
.
I have set up HA vpn`many times, have never had any problems, so please show
your whole config. Don't think you have a problem on the side you are
showing here, atleast not with HA vpn... You should check why you don't get
that reverse route out to the routing table.. and why you don't have isakmp
peering. That is your
problem
Mvh
Jens Petter Eikeland
Mob 98247550
Hipercom AS
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of Kal
Han
Sent: 24. november 2006 05:36
To: Groupstudy; Cisco certification
Subject: Help with VPN high-availability with HSRP
Hi
I am trying to setup VPN HA using hsrp.
(R1 is active router and R2 is standby )
after I configure everything, only half of my traffic is working fine.
The standby router is always the problem !
Out of two routers as part of ha, only one is actually able to successfully
encrypt and decrypt the traffic. The other (standby router ) is in
R2#sh cry isa sa
dst src state conn-id slot
195.1.112.10 195.1.112.12 *MM_NO_STATE* 1 0
type of state.
*Ping Output looks like this*
3750-Switch#ping 195.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
*.!.!. ( <------------------------------------ )*
Not sure whats wrong, and why the second router is not able to build up the
tunnel.
Has anyone seen this kind of problem ?
I am running OSPF thru out the network, and I am using EIGRP to redistribute
the static routes created by "reverse-route injection"
On my active router:
R1#sroute stat
172.16.0.0/24 is subnetted, 2 subnets
S 172.16.2.0 [1/0] via 195.1.112.10 *<---- from my crypto access-list*
R1#
*On my standby router*
R2#sroute stat
*R2# <<<<<<< NO static routes seen here. >>>>>>*
I am attaching both the router configs.
Any help is really appreciated. I tried this multiple times over the
period of time. I had the same problem always. I am doing something
wrong. I looked online help but couldnt progress much further.
*R1#sh cry isa sa
dst src state conn-id slot
195.1.112.12 195.1.112.10 QM_IDLE 1 0
*
*R2#sh cry isa sa
dst src state conn-id slot
195.1.112.10 195.1.112.12 MM_NO_STATE 1 0*
R1#sh run
Building configuration...
Current configuration : 2461 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
logging queue-limit 100
!
memory-size iomem 10
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authentication login NONE none
aaa authorization auth-proxy default group tacacs+
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip auth-proxy auth-cache-time 15
ip auth-proxy name AP http
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cceisec address 195.1.112.10
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ts esp-des esp-sha-hmac
!
crypto map cm 10 ipsec-isakmp
set peer 195.1.112.10
set transform-set ts
match address 180
reverse-route
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
interface Loopback0
ip address 11.11.11.11 255.255.255.0
!
interface FastEthernet0/0
ip address 195.1.123.1 255.255.255.0
ip ospf message-digest-key 1 md5 cciesec
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 195.1.112.1 255.255.255.0
ip auth-proxy AP
ip ospf message-digest-key 1 md5 cciesec
ip ospf priority 255
duplex auto
speed auto
standby ip 195.1.112.12
standby priority 105
standby preempt
standby name HI
crypto map cm redundancy HI
!
router eigrp 123
redistribute static
network 195.1.112.0
network 195.1.123.0
no auto-summary
!
router ospf 1
router-id 11.11.11.11
log-adjacency-changes
no capability lls
area 0 authentication message-digest
network 11.11.11.0 0.0.0.255 area 0
network 195.1.112.0 0.0.0.255 area 0
network 195.1.123.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
ip classless
ip tacacs source-interface Loopback0
!
!
!
access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
!
tacacs-server host 195.1.112.100 key mykey
tacacs-server directed-request
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication NONE
line aux 0
line vty 0 4
login authentication NONE
!
!
************************************************************
************************************************************
R2#sh run
Building configuration...
Current configuration : 2479 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
logging queue-limit 100
!
memory-size iomem 10
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authentication login NONE none
aaa authorization auth-proxy default group tacacs+
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip auth-proxy auth-cache-time 15
ip auth-proxy name AP http
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cceisec address 195.1.112.10
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ts esp-des esp-sha-hmac
!
crypto map cm 10 ipsec-isakmp
set peer 195.1.112.10
set transform-set ts
match address 180
reverse-route
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 22.22.22.22 255.255.255.0
!
interface FastEthernet0/0
ip address 195.1.123.2 255.255.255.0
ip ospf message-digest-key 1 md5 cciesec
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address 195.1.112.2 255.255.255.0
ip auth-proxy AP
ip ospf message-digest-key 1 md5 cciesec
duplex auto
speed auto
standby ip 195.1.112.12
standby preempt
standby name HI
crypto map cm redundancy HI
!
router eigrp 123
redistribute static
network 195.1.112.0
network 195.1.123.0
no auto-summary
!
router ospf 1
router-id 22.22.22.22
log-adjacency-changes
no capability lls
area 0 authentication message-digest
network 22.22.22.0 0.0.0.255 area 0
network 195.1.112.0 0.0.0.255 area 0
network 195.1.123.0 0.0.0.255 area 0
!
ip http server
no ip http secure-server
ip classless
ip tacacs source-interface Loopback0
!
!
!
access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
!
tacacs-server host 195.1.112.100 key mykey
tacacs-server directed-request
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication NONE
line aux 0
line vty 0 4
login authentication NONE
!
!
end
R2#
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART