Re: Help with VPN high-availability with HSRP

From: Kal Han (calikali2006@gmail.com)
Date: Fri Nov 24 2006 - 22:23:13 ART

Hi
Thanks for your replies.
Here is my topology ( R1 is active )
HSRP is enabled on the interfaces facing PIX.
I am providing the config on PIX

                        |-----R1-----|
----cat-----PIX------| |-------R3
                        |-----R2-----|

I configured VPN between PIX -- R1,R2 virtual IP address.
This is TrinetNT SuperLab-5 Section 11.3
The question asked to redistribute the routes created by
reverse-route using EIGRP. So I am running eigrp between
R1, R2, R3. and redistributing static on R1 and R2.
Even if I remove EIGRP completely and use only OSPF the
behavior is same.

I removed eigrp now and tried... now.

 Given my topology, R3 has two equal metric routes to reach catalyst.
Does R3 load balance between R1 and R2 ?
(from what I know, only one router should be used, but I dont see that
Is there anything wrong with my hsrp config ? the "show standby" shows
the expected output.)
If so will both R1 and R2 have SAs with PIX meaning there will be two
ike SAs on PIX ? ( this is what is happening )
Or should it be only one SA to which ever is the active router ?
I dont know this stuff. *Looks like both R1 and R2 are trying to bring*
*up the tunnel when I ping from Cat -> R3. R1 is successful in its attempt.*
*R2 is failing.* the only debug output I get on failing router R2 is

R2#
*Mar 1 00:11:23.931: IPSEC(sa_request): ,
  (key eng. msg.) OUTBOUND local= 195.1.112.12, remote= 195.1.112.10,
    local_proxy= 195.1.123.0/255.255.255.0/0/0 (type=4),
    remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
    protocol= ESP, transform= esp-des esp-sha-hmac ,
    lifedur= 3600s and 4608000kb,
    spi= 0xF6302F18(4130352920), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:11:23.931: ISAKMP: received ke message (1/1)
*Mar 1 00:11:23.931: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 00:11:23.931: ISAKMP: local port 500, remote port 500
*Mar 1 00:11:23.935: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:11:23.935: ISAKMP: insert sa successfully sa = 82EB5AD8
*Mar 1 00:11:23.935: ISAKMP (0:1): Can not start Aggressive mode, trying
Main mode.
*Mar 1 00:11:23.935: ISAKMP: Looking for a matching key for 195.1.112.10 in
default : success
*Mar 1 00:11:23.935: ISAKMP (0:1): found peer pre-shared key matching
195.1.112.10
*Mar 1 00:11:23.
R2#935: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 1 00:11:23.939: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar 1 00:11:23.939: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
*Mar 1 00:11:23.939: ISAKMP (0:1): Old State = IKE_READY New State =
IKE_I_MM1

*Mar 1 00:11:23.939: ISAKMP (0:1): beginning Main Mode exchange
*Mar 1 00:11:23.939: ISAKMP (0:1): sending packet to 195.1.112.10 my_port
500 peer_port 500 (I) MM_NO_STATE
R2#
*Mar 1 00:11:33.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:11:33.939: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
*Mar 1 00:11:33.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:11:33.939: ISAKMP (0:1): sending packet to 195.1.112.10 my_port
500 peer_port 500 (I) MM_NO_STATE

Should I see the static route (reverse-route) creation on both
active and standby routers ? I dont see the static route on the standby
router.
*Ping Output on CAT in the topology looks like this*
 *when I ping R3 from CAT.*
3750-Switch#ping 195.1.123.3
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
*.!.!. ( <------------------------------------ ) *
**

PIX Config
pixfirewall(config)# sh run | in crypto
crypto ipsec transform-set ts esp-des esp-sha-hmac
crypto map cm 10 ipsec-isakmp
crypto map cm 10 match address vpn
crypto map cm 10 set peer 195.1.112.12
crypto map cm 10 set transform-set ts
crypto map cm interface outside
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)# sh isak
isakmp enable outside
isakmp key ******** address 195.1.112.12 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
pixfirewall(config)#
pixfirewall(config)# sh cry isa sa
Total : 2
Embryonic : 1
        dst src state pending created
    *195.1.112.10 195.1.112.12 MM_SA_SETUP 0 0
* 195.1.112.12 195.1.112.10 QM_IDLE 0 1
pixfirewall(config)#

On 11/24/06, Petr Lapukhov <petr@internetworkexpert.com> wrote:
>
> Agree with Jens here, I just labbed HA scenario from scratch (HSRP/RRI)
> and had no problems at all, actually. It does take some time for ISAKMP to
> renegotiate with standby router, but aside froml this everything works
> fine.
>
> Try labbing *only* the HA scenario in most simplified environment, and
> the debugging output when you shutdown primary router..
>
> 2006/11/24, Jens Petter <jenseike@start.no>:
> >
> > What do you mean by "only half of my traffic is working fine"... only
> > active
> > router
> > should send at one time. Only when you shut down primary vpn should
> > standby
> > come up after the standby hsrp comes up..
> >
> > How do this have anything to do with the standby router? :
> > *Ping Output looks like this*
> > 3750-Switch#ping 195.1.123.3
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
> > *.!.!. ( <------------------------------------ )*
> >
> > Is this on the standby router??:. Does the tunnel go up/down since you
> > are
> > getting some packets trough...
> >
> > Maybe paste in to us the vpn config on the other side also. Check
> > connectivity, Why
> > two routing protocols on the same interface?? Why don't you just red
> > that
> > static direct on to ospf..
> >
> > I think you have a much more basic problem here than a problem with HA
> >
> > Now, have you tested the vpn peering between your standby router and
> > the other side of the vpn.. Don't looks like you have good peering here.
> > When you set up HA vpn you should first test both vpn peering, make sure
> >
> > they
> > work fine and that you get your reverese route up before you start
> > configuring the HA feature..
> >
> > .
> > I have set up HA vpn`many times, have never had any problems, so please
> > show
> > your whole config. Don't think you have a problem on the side you are
> > showing here, atleast not with HA vpn... You should check why you don't
> > get
> > that reverse route out to the routing table.. and why you don't have
> > isakmp
> > peering. That is your
> > problem
> >
> >
> > Mvh
> > Jens Petter Eikeland
> > Mob 98247550
> > Hipercom AS
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> > Kal
> > Han
> > Sent: 24. november 2006 05:36
> > To: Groupstudy; Cisco certification
> > Subject: Help with VPN high-availability with HSRP
> >
> > Hi
> > I am trying to setup VPN HA using hsrp.
> > (R1 is active router and R2 is standby )
> > after I configure everything, only half of my traffic is working fine.
> > The standby router is always the problem !
> > Out of two routers as part of ha, only one is actually able to
> > successfully
> > encrypt and decrypt the traffic. The other (standby router ) is in
> > R2#sh cry isa sa
> > dst src state conn-id slot
> > 195.1.112.10 195.1.112.12 *MM_NO_STATE* 1 0
> >
> > type of state.
> >
> > *Ping Output looks like this*
> > 3750-Switch#ping 195.1.123.3
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
> > *.!.!. ( <------------------------------------ )*
> >
> > Not sure whats wrong, and why the second router is not able to build up
> > the
> > tunnel.
> > Has anyone seen this kind of problem ?
> >
> > I am running OSPF thru out the network, and I am using EIGRP to
> > redistribute
> > the static routes created by "reverse-route injection"
> >
> > On my active router:
> > R1#sroute stat
> > 172.16.0.0/24 is subnetted, 2 subnets
> > S 172.16.2.0 [1/0] via 195.1.112.10 *<---- from my crypto
> > access-list*
> > R1#
> >
> > *On my standby router*
> >
> > R2#sroute stat
> >
> > *R2# <<<<<<< NO static routes seen here. >>>>>>*
> >
> > I am attaching both the router configs.
> >
> > Any help is really appreciated. I tried this multiple times over the
> > period of time. I had the same problem always. I am doing something
> > wrong. I looked online help but couldnt progress much further.
> >
> > *R1#sh cry isa sa
> > dst src state conn-id slot
> > 195.1.112.12 195.1.112.10 QM_IDLE 1 0
> > *
> >
> > *R2#sh cry isa sa
> > dst src state conn-id slot
> > 195.1.112.10 195.1.112.12 MM_NO_STATE 1 0*
> >
> >
> >
> > R1#sh run
> > Building configuration...
> >
> > Current configuration : 2461 bytes
> > !
> > version 12.2
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > no service password-encryption
> > !
> > hostname R1
> > !
> > logging queue-limit 100
> > !
> > memory-size iomem 10
> > aaa new-model
> > !
> > !
> > aaa authentication login default group tacacs+
> > aaa authentication login NONE none
> > aaa authorization auth-proxy default group tacacs+
> > aaa session-id common
> > ip subnet-zero
> > !
> > !
> > no ip domain lookup
> > !
> > ip auth-proxy auth-cache-time 15
> > ip auth-proxy name AP http
> > ip audit notify log
> > ip audit po max-events 100
> > !
> > !
> > !
> > crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > group 2
> > crypto isakmp key cceisec address 195.1.112.10
> > crypto isakmp keepalive 10
> > !
> > !
> > crypto ipsec transform-set ts esp-des esp-sha-hmac
> > !
> > crypto map cm 10 ipsec-isakmp
> > set peer 195.1.112.10
> > set transform-set ts
> > match address 180
> > reverse-route
> > !
> > !
> > no voice hpi capture buffer
> > no voice hpi capture destination
> > !
> > !
> > mta receive maximum-recipients 0
> > !
> > !
> > interface Loopback0
> > ip address 11.11.11.11 255.255.255.0
> > !
> > interface FastEthernet0/0
> > ip address 195.1.123.1 255.255.255.0
> > ip ospf message-digest-key 1 md5 cciesec
> > duplex auto
> > speed auto
> > !
> > interface FastEthernet0/1
> > ip address 195.1.112.1 255.255.255.0
> > ip auth-proxy AP
> > ip ospf message-digest-key 1 md5 cciesec
> > ip ospf priority 255
> > duplex auto
> > speed auto
> > standby ip 195.1.112.12
> > standby priority 105
> > standby preempt
> > standby name HI
> > crypto map cm redundancy HI
> > !
> > router eigrp 123
> > redistribute static
> > network 195.1.112.0
> > network 195.1.123.0
> > no auto-summary
> > !
> > router ospf 1
> > router-id 11.11.11.11
> > log-adjacency-changes
> > no capability lls
> > area 0 authentication message-digest
> > network 11.11.11.0 0.0.0.255 area 0
> > network 195.1.112.0 0.0.0.255 area 0
> > network 195.1.123.0 0.0.0.255 area 0
> > !
> > ip http server
> > no ip http secure-server
> > ip classless
> > ip tacacs source-interface Loopback0
> > !
> > !
> > !
> > access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
> > !
> > tacacs-server host 195.1.112.100 key mykey
> > tacacs-server directed-request
> > radius-server authorization permit missing Service-Type
> > call rsvp-sync
> > !
> > !
> > mgcp profile default
> > !
> > dial-peer cor custom
> > !
> > !
> > line con 0
> > exec-timeout 0 0
> > logging synchronous
> > login authentication NONE
> > line aux 0
> > line vty 0 4
> > login authentication NONE
> > !
> > !
> >
> > ************************************************************
> >
> > ************************************************************
> >
> > R2#sh run
> > Building configuration...
> >
> > Current configuration : 2479 bytes
> > !
> > version 12.2
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > no service password-encryption
> > !
> > hostname R2
> > !
> > logging queue-limit 100
> > !
> > memory-size iomem 10
> > aaa new-model
> > !
> > !
> > aaa authentication login default group tacacs+
> > aaa authentication login NONE none
> > aaa authorization auth-proxy default group tacacs+
> > aaa session-id common
> > ip subnet-zero
> > !
> > !
> > no ip domain lookup
> > !
> > ip auth-proxy auth-cache-time 15
> > ip auth-proxy name AP http
> > ip audit notify log
> > ip audit po max-events 100
> > !
> > !
> > !
> > crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > group 2
> > crypto isakmp key cceisec address 195.1.112.10
> > crypto isakmp keepalive 10
> > !
> > !
> > crypto ipsec transform-set ts esp-des esp-sha-hmac
> > !
> > crypto map cm 10 ipsec-isakmp
> > set peer 195.1.112.10
> > set transform-set ts
> > match address 180
> > reverse-route
> > !
> > !
> > !
> > no voice hpi capture buffer
> > no voice hpi capture destination
> > !
> > !
> > mta receive maximum-recipients 0
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 22.22.22.22 255.255.255.0
> > !
> > interface FastEthernet0/0
> > ip address 195.1.123.2 255.255.255.0
> > ip ospf message-digest-key 1 md5 cciesec
> > duplex auto
> > speed auto
> > !
> > interface Serial0/0
> > no ip address
> > shutdown
> > no fair-queue
> > !
> > interface FastEthernet0/1
> > ip address 195.1.112.2 255.255.255.0
> > ip auth-proxy AP
> > ip ospf message-digest-key 1 md5 cciesec
> > duplex auto
> > speed auto
> > standby ip 195.1.112.12
> > standby preempt
> > standby name HI
> > crypto map cm redundancy HI
> > !
> > router eigrp 123
> > redistribute static
> > network 195.1.112.0
> > network 195.1.123.0
> > no auto-summary
> > !
> > router ospf 1
> > router-id 22.22.22.22
> > log-adjacency-changes
> > no capability lls
> > area 0 authentication message-digest
> > network 22.22.22.0 0.0.0.255 area 0
> > network 195.1.112.0 0.0.0.255 area 0
> > network 195.1.123.0 0.0.0.255 area 0
> > !
> > ip http server
> > no ip http secure-server
> > ip classless
> > ip tacacs source-interface Loopback0
> > !
> > !
> > !
> > access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
> > !
> > tacacs-server host 195.1.112.100 key mykey
> > tacacs-server directed-request
> > radius-server authorization permit missing Service-Type
> > call rsvp-sync
> > !
> > !
> > mgcp profile default
> > !
> > dial-peer cor custom
> > !
> > !
> > line con 0
> > exec-timeout 0 0
> > logging synchronous
> > login authentication NONE
> > line aux 0
> > line vty 0 4
> > login authentication NONE
> > !
> > !
> > end
> >
> > R2#
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Outside US: 775-826-4344

This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART