From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Fri Nov 24 2006 - 05:13:35 ART
Agree with Jens here, I just labbed HA scenario from scratch (HSRP/RRI)
and had no problems at all, actually. It does take some time for ISAKMP to
renegotiate with standby router, but aside froml this everything works fine.
Try labbing *only* the HA scenario in most simplified environment, and
the debugging output when you shutdown primary router..
2006/11/24, Jens Petter <jenseike@start.no>:
>
> What do you mean by "only half of my traffic is working fine"... only
> active
> router
> should send at one time. Only when you shut down primary vpn should
> standby
> come up after the standby hsrp comes up..
>
> How do this have anything to do with the standby router? :
> *Ping Output looks like this*
> 3750-Switch#ping 195.1.123.3
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
> *.!.!. ( <------------------------------------ )*
>
> Is this on the standby router??:. Does the tunnel go up/down since you are
> getting some packets trough...
>
> Maybe paste in to us the vpn config on the other side also. Check
> connectivity, Why
> two routing protocols on the same interface?? Why don't you just red that
> static direct on to ospf..
>
> I think you have a much more basic problem here than a problem with HA
>
> Now, have you tested the vpn peering between your standby router and
> the other side of the vpn.. Don't looks like you have good peering here.
> When you set up HA vpn you should first test both vpn peering, make sure
> they
> work fine and that you get your reverese route up before you start
> configuring the HA feature..
>
> .
> I have set up HA vpn`many times, have never had any problems, so please
> show
> your whole config. Don't think you have a problem on the side you are
> showing here, atleast not with HA vpn... You should check why you don't
> get
> that reverse route out to the routing table.. and why you don't have
> isakmp
> peering. That is your
> problem
>
>
> Mvh
> Jens Petter Eikeland
> Mob 98247550
> Hipercom AS
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> Kal
> Han
> Sent: 24. november 2006 05:36
> To: Groupstudy; Cisco certification
> Subject: Help with VPN high-availability with HSRP
>
> Hi
> I am trying to setup VPN HA using hsrp.
> (R1 is active router and R2 is standby )
> after I configure everything, only half of my traffic is working fine.
> The standby router is always the problem !
> Out of two routers as part of ha, only one is actually able to
> successfully
> encrypt and decrypt the traffic. The other (standby router ) is in
> R2#sh cry isa sa
> dst src state conn-id slot
> 195.1.112.10 195.1.112.12 *MM_NO_STATE* 1 0
>
> type of state.
>
> *Ping Output looks like this*
> 3750-Switch#ping 195.1.123.3
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
> *.!.!. ( <------------------------------------ )*
>
> Not sure whats wrong, and why the second router is not able to build up
> the
> tunnel.
> Has anyone seen this kind of problem ?
>
> I am running OSPF thru out the network, and I am using EIGRP to
> redistribute
> the static routes created by "reverse-route injection"
>
> On my active router:
> R1#sroute stat
> 172.16.0.0/24 is subnetted, 2 subnets
> S 172.16.2.0 [1/0] via 195.1.112.10 *<---- from my crypto
> access-list*
> R1#
>
> *On my standby router*
>
> R2#sroute stat
>
> *R2# <<<<<<< NO static routes seen here. >>>>>>*
>
> I am attaching both the router configs.
>
> Any help is really appreciated. I tried this multiple times over the
> period of time. I had the same problem always. I am doing something
> wrong. I looked online help but couldnt progress much further.
>
> *R1#sh cry isa sa
> dst src state conn-id slot
> 195.1.112.12 195.1.112.10 QM_IDLE 1 0
> *
>
> *R2#sh cry isa sa
> dst src state conn-id slot
> 195.1.112.10 195.1.112.12 MM_NO_STATE 1 0*
>
>
>
> R1#sh run
> Building configuration...
>
> Current configuration : 2461 bytes
> !
> version 12.2
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R1
> !
> logging queue-limit 100
> !
> memory-size iomem 10
> aaa new-model
> !
> !
> aaa authentication login default group tacacs+
> aaa authentication login NONE none
> aaa authorization auth-proxy default group tacacs+
> aaa session-id common
> ip subnet-zero
> !
> !
> no ip domain lookup
> !
> ip auth-proxy auth-cache-time 15
> ip auth-proxy name AP http
> ip audit notify log
> ip audit po max-events 100
> !
> !
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cceisec address 195.1.112.10
> crypto isakmp keepalive 10
> !
> !
> crypto ipsec transform-set ts esp-des esp-sha-hmac
> !
> crypto map cm 10 ipsec-isakmp
> set peer 195.1.112.10
> set transform-set ts
> match address 180
> reverse-route
> !
> !
> no voice hpi capture buffer
> no voice hpi capture destination
> !
> !
> mta receive maximum-recipients 0
> !
> !
> interface Loopback0
> ip address 11.11.11.11 255.255.255.0
> !
> interface FastEthernet0/0
> ip address 195.1.123.1 255.255.255.0
> ip ospf message-digest-key 1 md5 cciesec
> duplex auto
> speed auto
> !
> interface FastEthernet0/1
> ip address 195.1.112.1 255.255.255.0
> ip auth-proxy AP
> ip ospf message-digest-key 1 md5 cciesec
> ip ospf priority 255
> duplex auto
> speed auto
> standby ip 195.1.112.12
> standby priority 105
> standby preempt
> standby name HI
> crypto map cm redundancy HI
> !
> router eigrp 123
> redistribute static
> network 195.1.112.0
> network 195.1.123.0
> no auto-summary
> !
> router ospf 1
> router-id 11.11.11.11
> log-adjacency-changes
> no capability lls
> area 0 authentication message-digest
> network 11.11.11.0 0.0.0.255 area 0
> network 195.1.112.0 0.0.0.255 area 0
> network 195.1.123.0 0.0.0.255 area 0
> !
> ip http server
> no ip http secure-server
> ip classless
> ip tacacs source-interface Loopback0
> !
> !
> !
> access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
> !
> tacacs-server host 195.1.112.100 key mykey
> tacacs-server directed-request
> radius-server authorization permit missing Service-Type
> call rsvp-sync
> !
> !
> mgcp profile default
> !
> dial-peer cor custom
> !
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> login authentication NONE
> line aux 0
> line vty 0 4
> login authentication NONE
> !
> !
>
> ************************************************************
>
> ************************************************************
>
> R2#sh run
> Building configuration...
>
> Current configuration : 2479 bytes
> !
> version 12.2
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R2
> !
> logging queue-limit 100
> !
> memory-size iomem 10
> aaa new-model
> !
> !
> aaa authentication login default group tacacs+
> aaa authentication login NONE none
> aaa authorization auth-proxy default group tacacs+
> aaa session-id common
> ip subnet-zero
> !
> !
> no ip domain lookup
> !
> ip auth-proxy auth-cache-time 15
> ip auth-proxy name AP http
> ip audit notify log
> ip audit po max-events 100
> !
> !
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cceisec address 195.1.112.10
> crypto isakmp keepalive 10
> !
> !
> crypto ipsec transform-set ts esp-des esp-sha-hmac
> !
> crypto map cm 10 ipsec-isakmp
> set peer 195.1.112.10
> set transform-set ts
> match address 180
> reverse-route
> !
> !
> !
> no voice hpi capture buffer
> no voice hpi capture destination
> !
> !
> mta receive maximum-recipients 0
> !
> !
> !
> !
> interface Loopback0
> ip address 22.22.22.22 255.255.255.0
> !
> interface FastEthernet0/0
> ip address 195.1.123.2 255.255.255.0
> ip ospf message-digest-key 1 md5 cciesec
> duplex auto
> speed auto
> !
> interface Serial0/0
> no ip address
> shutdown
> no fair-queue
> !
> interface FastEthernet0/1
> ip address 195.1.112.2 255.255.255.0
> ip auth-proxy AP
> ip ospf message-digest-key 1 md5 cciesec
> duplex auto
> speed auto
> standby ip 195.1.112.12
> standby preempt
> standby name HI
> crypto map cm redundancy HI
> !
> router eigrp 123
> redistribute static
> network 195.1.112.0
> network 195.1.123.0
> no auto-summary
> !
> router ospf 1
> router-id 22.22.22.22
> log-adjacency-changes
> no capability lls
> area 0 authentication message-digest
> network 22.22.22.0 0.0.0.255 area 0
> network 195.1.112.0 0.0.0.255 area 0
> network 195.1.123.0 0.0.0.255 area 0
> !
> ip http server
> no ip http secure-server
> ip classless
> ip tacacs source-interface Loopback0
> !
> !
> !
> access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
> !
> tacacs-server host 195.1.112.100 key mykey
> tacacs-server directed-request
> radius-server authorization permit missing Service-Type
> call rsvp-sync
> !
> !
> mgcp profile default
> !
> dial-peer cor custom
> !
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> login authentication NONE
> line aux 0
> line vty 0 4
> login authentication NONE
> !
> !
> end
>
> R2#
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART