From: Jens Petter (jenseike@start.no)
Date: Sat Nov 25 2006 - 00:46:58 ART
Yoy can not loadbalance the route that you recive via RRI to switch network.
That would not work, you have
to make sure your primary hsrp router are the one that are having the best
metric to this (as long as this
routers vpn are up).
I am sure that this is part of your problem here. You On the primaryr router
you should see the route as a static, by on the
stanby router you need to make shure you learn this from R1 via your dynamic
routing protocos. In your case you should on
the standby router see 172.16.0.0/24 as an exstrenal eigrp route ( the one
you redistribute in to eigrp on your primary), and
not as an static route. This, you should only see when this router becom
active..
only when your primary goes down, you should see this as an static route on
your standby. Also on R3 you need to see this
route only coming from your primary.. This route can not loadbalance using
this type of technology. Vpn HA together with HSRP..
ipsec ha would make sure that when standby router comes up RRI would go in
to effect on this router. Not before..
And, NO - you should only see one is isakmp sa on the pix, one as
195.1.112.12 as peer. For r1 and r2, only the time active hsrp
router should ever have the vpn up at any time.
I still think that you have a routing problem here, you are not matching
your routing to the hsrp/vpn config. You need to
think in a little bigger picture here that when you do when you only
configure vpn`s..
I would still like to see your other router and pix configs too..
I did not think that using only eigrp or ospf was going to solve it, just
found it strange you used both routing protocols for the same networks.
Eigrp will be the only on you see in your routing table between r1, r2 and
r3 anyway..
You need to figure out why you have two isakmp as on pix, this should only
be one. You still need to tune your routing/hsrp config to match.
Your vpn config looks good, nothing wrong with that
Mvh
Jens Petter Eikeland
Mob 98247550
Hipercom AS
_____
From: Kal Han [mailto:calikali2006@gmail.com]
Sent: 25. november 2006 02:23
To: Petr Lapukhov
Cc: Jens Petter; Groupstudy; Cisco certification
Subject: Re: Help with VPN high-availability with HSRP
Hi
Thanks for your replies.
Here is my topology ( R1 is active )
HSRP is enabled on the interfaces facing PIX.
I am providing the config on PIX
|-----R1-----|
----cat-----PIX------| |-------R3
|-----R2-----|
I configured VPN between PIX -- R1,R2 virtual IP address.
This is TrinetNT SuperLab-5 Section 11.3
The question asked to redistribute the routes created by
reverse-route using EIGRP. So I am running eigrp between
R1, R2, R3. and redistributing static on R1 and R2.
Even if I remove EIGRP completely and use only OSPF the
behavior is same.
I removed eigrp now and tried... now.
Given my topology, R3 has two equal metric routes to reach catalyst.
Does R3 load balance between R1 and R2 ?
(from what I know, only one router should be used, but I dont see that
Is there anything wrong with my hsrp config ? the "show standby" shows
the expected output.)
If so will both R1 and R2 have SAs with PIX meaning there will be two
ike SAs on PIX ? ( this is what is happening )
Or should it be only one SA to which ever is the active router ?
I dont know this stuff. Looks like both R1 and R2 are trying to bring
up the tunnel when I ping from Cat -> R3. R1 is successful in its attempt.
R2 is failing. the only debug output I get on failing router R2 is
R2#
*Mar 1 00:11:23.931: IPSEC(sa_request): ,
(key eng. msg.) OUTBOUND local= 195.1.112.12, remote= 195.1.112.10,
local_proxy= 195.1.123.0/255.255.255.0/0/0 (type=4),
remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
protocol= ESP, transform= esp-des esp-sha-hmac ,
lifedur= 3600s and 4608000kb,
spi= 0xF6302F18(4130352920), conn_id= 0, keysize= 0, flags= 0x400A
*Mar 1 00:11:23.931: ISAKMP: received ke message (1/1)
*Mar 1 00:11:23.931: ISAKMP (0:0): SA request profile is (NULL)
*Mar 1 00:11:23.931 : ISAKMP: local port 500, remote port 500
*Mar 1 00:11:23.935: ISAKMP: set new node 0 to QM_IDLE
*Mar 1 00:11:23.935: ISAKMP: insert sa successfully sa = 82EB5AD8
*Mar 1 00:11:23.935: ISAKMP (0:1): Can not start Aggressive mode, trying
Main mode.
*Mar 1 00:11:23.935: ISAKMP: Looking for a matching key for 195.1.112.10 in
default : success
*Mar 1 00:11:23.935: ISAKMP (0:1): found peer pre-shared key matching
195.1.112.10
*Mar 1 00:11:23.
R2#935: ISAKMP (0:1): constructed NAT-T vendor-03 ID
*Mar 1 00:11:23.939: ISAKMP (0:1): constructed NAT-T vendor-02 ID
*Mar 1 00:11:23.939: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
IKE_SA_REQ_MM
*Mar 1 00:11:23.939: ISAKMP (0:1): Old State = IKE_READY New State =
IKE_I_MM1
*Mar 1 00:11:23.939: ISAKMP (0:1): beginning Main Mode exchange
*Mar 1 00:11:23.939: ISAKMP (0:1): sending packet to 195.1.112.10 my_port
500 peer_port 500 (I) MM_NO_STATE
R2#
*Mar 1 00:11:33.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
*Mar 1 00:11:33.939: ISAKMP (0:1): incrementing error counter on sa:
retransmit phase 1
*Mar 1 00:11:33.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
*Mar 1 00:11:33.939: ISAKMP (0:1): sending packet to 195.1.112.10 my_port
500 peer_port 500 (I) MM_NO_STATE
Should I see the static route (reverse-route) creation on both
active and standby routers ? I dont see the static route on the standby
router.
Ping Output on CAT in the topology looks like this
when I ping R3 from CAT.
3750-Switch#ping 195.1.123.3 <http://195.1.123.3/>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 195.1.123.3 <http://195.1.123.3/> ,
timeout is 2 seconds:
.!.!. ( <------------------------------------ )
PIX Config
pixfirewall(config)# sh run | in crypto
crypto ipsec transform-set ts esp-des esp-sha-hmac
crypto map cm 10 ipsec-isakmp
crypto map cm 10 match address vpn
crypto map cm 10 set peer 195.1.112.12
crypto map cm 10 set transform-set ts
crypto map cm interface outside
pixfirewall(config)#
pixfirewall(config)#
pixfirewall(config)# sh isak
isakmp enable outside
isakmp key ******** address 195.1.112.12 netmask 255.255.255.255
isakmp identity address
isakmp keepalive 10
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption des
isakmp policy 10 hash md5
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
pixfirewall(config)#
pixfirewall(config)# sh cry isa sa
Total : 2
Embryonic : 1
dst src state pending created
195.1.112.10 195.1.112.12 MM_SA_SETUP 0 0
195.1.112.12 195.1.112.10 QM_IDLE 0 1
pixfirewall(config)#
On 11/24/06, Petr Lapukhov <petr@internetworkexpert.com> wrote:
Agree with Jens here, I just labbed HA scenario from scratch (HSRP/RRI)
and had no problems at all, actually. It does take some time for ISAKMP to
renegotiate with standby router, but aside froml this everything works fine.
Try labbing *only* the HA scenario in most simplified environment, and
the debugging output when you shutdown primary router..
2006/11/24, Jens Petter <jenseike@start.no>:
What do you mean by "only half of my traffic is working fine"... only active
router
should send at one time. Only when you shut down primary vpn should standby
come up after the standby hsrp comes up..
How do this have anything to do with the standby router? :
*Ping Output looks like this*
3750-Switch#ping 195.1.123.3 <http://195.1.123.3/>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 195.1.123.3 <http://195.1.123.3/> ,
timeout is 2 seconds:
*.!.!. ( <------------------------------------ )*
Is this on the standby router??:. Does the tunnel go up/down since you are
getting some packets trough...
Maybe paste in to us the vpn config on the other side also. Check
connectivity, Why
two routing protocols on the same interface?? Why don't you just red that
static direct on to ospf..
I think you have a much more basic problem here than a problem with HA
Now, have you tested the vpn peering between your standby router and
the other side of the vpn.. Don't looks like you have good peering here.
When you set up HA vpn you should first test both vpn peering, make sure
they
work fine and that you get your reverese route up before you start
configuring the HA feature..
.
I have set up HA vpn`many times, have never had any problems, so please show
your whole config. Don't think you have a problem on the side you are
showing here, atleast not with HA vpn... You should check why you don't get
that reverse route out to the routing table.. and why you don't have isakmp
peering. That is your
problem
Mvh
Jens Petter Eikeland
Mob 98247550
Hipercom AS
-----Original Message-----
From: nobody@groupstudy.com [mailto: <mailto:nobody@groupstudy.com>
nobody@groupstudy.com] On Behalf Of Kal
Han
Sent: 24. november 2006 05:36
To: Groupstudy; Cisco certification
Subject: Help with VPN high-availability with HSRP
Hi
I am trying to setup VPN HA using hsrp.
(R1 is active router and R2 is standby )
after I configure everything, only half of my traffic is working fine.
The standby router is always the problem !
Out of two routers as part of ha, only one is actually able to successfully
encrypt and decrypt the traffic. The other (standby router ) is in
R2#sh cry isa sa
dst src state conn-id slot
195.1.112.10 <http://195.1.112.10/> 195.1.112.12 <http://195.1.112.12/>
*MM_NO_STATE* 1 0
type of state.
*Ping Output looks like this*
3750-Switch#ping 195.1.123.3 <http://195.1.123.3/>
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 195.1.123.3 <http://195.1.123.3/> ,
timeout is 2 seconds:
*.!.!. ( <------------------------------------ )*
Not sure whats wrong, and why the second router is not able to build up the
tunnel.
Has anyone seen this kind of problem ?
I am running OSPF thru out the network, and I am using EIGRP to redistribute
the static routes created by "reverse-route injection"
On my active router:
R1#sroute stat
172.16.0.0/24 is subnetted, 2 subnets
S 172.16.2.0 <http://172.16.2.0/> [1/0] via 195.1.112.10
<http://195.1.112.10/> *<---- from my crypto access-list*
R1#
*On my standby router*
R2#sroute stat
*R2# <<<<<<< NO static routes seen here. >>>>>>*
I am attaching both the router configs.
Any help is really appreciated. I tried this multiple times over the
period of time. I had the same problem always. I am doing something
wrong. I looked online help but couldnt progress much further.
*R1#sh cry isa sa
dst src state conn-id slot
195.1.112.12 <http://195.1.112.12/> 195.1.112.10 <http://195.1.112.10/>
QM_IDLE 1 0
*
*R2#sh cry isa sa
dst src state conn-id slot
195.1.112.10 <http://195.1.112.10/> 195.1.112.12 <http://195.1.112.12/>
MM_NO_STATE 1 0*
R1#sh run
Building configuration...
Current configuration : 2461 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
logging queue-limit 100
!
memory-size iomem 10
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authentication login NONE none
aaa authorization auth-proxy default group tacacs+
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip auth-proxy auth-cache-time 15
ip auth-proxy name AP http
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cceisec address 195.1.112.10 <http://195.1.112.10/>
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ts esp-des esp-sha-hmac
!
crypto map cm 10 ipsec-isakmp
set peer 195.1.112.10 <http://195.1.112.10/>
set transform-set ts
match address 180
reverse-route
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
interface Loopback0
ip address 11.11.11.11 <http://11.11.11.11/> 255.255.255.0
<http://255.255.255.0/>
!
interface FastEthernet0/0
ip address 195.1.123.1 <http://195.1.123.1/> 255.255.255.0
<http://255.255.255.0/>
ip ospf message-digest-key 1 md5 cciesec
duplex auto
speed auto
!
interface FastEthernet0/1
ip address 195.1.112.1 <http://195.1.112.1/> 255.255.255.0
<http://255.255.255.0/>
ip auth-proxy AP
ip ospf message-digest-key 1 md5 cciesec
ip ospf priority 255
duplex auto
speed auto
standby ip 195.1.112.12 <http://195.1.112.12/>
standby priority 105
standby preempt
standby name HI
crypto map cm redundancy HI
!
router eigrp 123
redistribute static
network 195.1.112.0 <http://195.1.112.0/>
network 195.1.123.0 <http://195.1.123.0/>
no auto-summary
!
router ospf 1
router-id 11.11.11.11 <http://11.11.11.11/>
log-adjacency-changes
no capability lls
area 0 authentication message-digest
network 11.11.11.0 <http://11.11.11.0/> 0.0.0.255 <http://0.0.0.255/> area
0
network 195.1.112.0 <http://195.1.112.0/> 0.0.0.255 <http://0.0.0.255/>
area 0
network 195.1.123.0 <http://195.1.123.0/> 0.0.0.255 <http://0.0.0.255/>
area 0
!
ip http server
no ip http secure-server
ip classless
ip tacacs source-interface Loopback0
!
!
!
access-list 180 permit ip 195.1.123.0 <http://195.1.123.0/> 0.0.0.255
<http://0.0.0.255/> 172.16.2.0 <http://172.16.2.0/> 0.0.0.255
<http://0.0.0.255/>
!
tacacs-server host 195.1.112.100 <http://195.1.112.100/> key mykey
tacacs-server directed-request
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication NONE
line aux 0
line vty 0 4
login authentication NONE
!
!
************************************************************
************************************************************
R2#sh run
Building configuration...
Current configuration : 2479 bytes
!
version 12.2
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
logging queue-limit 100
!
memory-size iomem 10
aaa new-model
!
!
aaa authentication login default group tacacs+
aaa authentication login NONE none
aaa authorization auth-proxy default group tacacs+
aaa session-id common
ip subnet-zero
!
!
no ip domain lookup
!
ip auth-proxy auth-cache-time 15
ip auth-proxy name AP http
ip audit notify log
ip audit po max-events 100
!
!
!
crypto isakmp policy 10
hash md5
authentication pre-share
group 2
crypto isakmp key cceisec address 195.1.112.10 <http://195.1.112.10/>
crypto isakmp keepalive 10
!
!
crypto ipsec transform-set ts esp-des esp-sha-hmac
!
crypto map cm 10 ipsec-isakmp
set peer 195.1.112.10 <http://195.1.112.10/>
set transform-set ts
match address 180
reverse-route
!
!
!
no voice hpi capture buffer
no voice hpi capture destination
!
!
mta receive maximum-recipients 0
!
!
!
!
interface Loopback0
ip address 22.22.22.22 <http://22.22.22.22/> 255.255.255.0
<http://255.255.255.0/>
!
interface FastEthernet0/0
ip address 195.1.123.2 <http://195.1.123.2/> 255.255.255.0
<http://255.255.255.0/>
ip ospf message-digest-key 1 md5 cciesec
duplex auto
speed auto
!
interface Serial0/0
no ip address
shutdown
no fair-queue
!
interface FastEthernet0/1
ip address 195.1.112.2 <http://195.1.112.2/> 255.255.255.0
<http://255.255.255.0/>
ip auth-proxy AP
ip ospf message-digest-key 1 md5 cciesec
duplex auto
speed auto
standby ip 195.1.112.12 <http://195.1.112.12/>
standby preempt
standby name HI
crypto map cm redundancy HI
!
router eigrp 123
redistribute static
network 195.1.112.0 <http://195.1.112.0/>
network 195.1.123.0 <http://195.1.123.0/>
no auto-summary
!
router ospf 1
router-id 22.22.22.22 <http://22.22.22.22/>
log-adjacency-changes
no capability lls
area 0 authentication message-digest
network 22.22.22.0 <http://22.22.22.0/> 0.0.0.255 <http://0.0.0.255/> area
0
network 195.1.112.0 <http://195.1.112.0/> 0.0.0.255 <http://0.0.0.255/>
area 0
network 195.1.123.0 <http://195.1.123.0/> 0.0.0.255 <http://0.0.0.255/>
area 0
!
ip http server
no ip http secure-server
ip classless
ip tacacs source-interface Loopback0
!
!
!
access-list 180 permit ip 195.1.123.0 <http://195.1.123.0/> 0.0.0.255
<http://0.0.0.255/> 172.16.2.0 <http://172.16.2.0/> 0.0.0.255
<http://0.0.0.255/>
!
tacacs-server host 195.1.112.100 <http://195.1.112.100/> key mykey
tacacs-server directed-request
radius-server authorization permit missing Service-Type
call rsvp-sync
!
!
mgcp profile default
!
dial-peer cor custom
!
!
line con 0
exec-timeout 0 0
logging synchronous
login authentication NONE
line aux 0
line vty 0 4
login authentication NONE
!
!
end
R2#
This archive was generated by hypermail 2.1.4 : Fri Dec 01 2006 - 08:05:48 ART