Re: Help with VPN high-availability with HSRP
From: Kal Han (calikali2006@gmail.com)
Date: Sat Nov 25 2006 - 02:13:06 ART
OK Sorry. I forgot I am redistributing static route and so
its eigrp admin distance is higher. d a r n it !.
I should go home and take rest :)
Ok the question itself is not straight forward like I thought :)
Thanks everyone. My problem is solved.
Kal
On 11/24/06, Kal Han <calikali2006@gmail.com> wrote:
>
> Hi Jens, Its working just like how you said.
> Thank you all again. Its working now.
> But my solution is not good. I would like some more input please.
>
> |-----R1-----|
> ----cat-----PIX------| |-------R3
> |-----R2-----|
>
> In this topology, All routers know routes to all the devices.
> Using OSPF (before vpn or anything)
>
> So initially R3 has two routes to CAT. ( via R1 and R2 )
> Now after I configured VPN, HA, RRI, and redistribute static
> using EIGRP, I still see the previous two equal metric
> routes on R3 to reach CAT. I did wait for some time
> to see the routing table update with EIGRP distributed
> static route take priority over OSPF.
> It didnt happen.
> I set ospf max-paths to 1 and then its working because now
> there is only one route ( thru R1 ), everything is good after
> this.
> But why did I not see the eigrp route install in the routing table ?
> given that the same route is advertised by both ospf and eigrp ?
>
> <by route I mean the route for CAT network >
>
> when I filtered the CAT network from R3 using a distribute list in ospf, I
> saw
> the EIGRP route in the routing table. When I removed the distribute
> list, the ospf advertised route is back in the routing table and eigrp
> route is gone. ( I did not manipulate any distance or any other
> parameters)
>
>
> Thanks
> Kal
>
>
>
> On 11/24/06, Jens Petter <jenseike@start.no> wrote:
> >
> > Yoy can not loadbalance the route that you recive via RRI to switch
> > network. That would not work, you have
> > to make sure your primary hsrp router are the one that are having the
> > best metric to this (as long as this
> > routers vpn are up).
> >
> > I am sure that this is part of your problem here. You On the primaryr
> > router you should see the route as a static, by on the
> > stanby router you need to make shure you learn this from R1 via your
> > dynamic routing protocos. In your case you should on
> > the standby router see 172.16.0.0/24 as an exstrenal eigrp route ( the
> > one you redistribute in to eigrp on your primary), and
> > not as an static route. This, you should only see when this router becom
> > active..
> >
> >
> >
> > only when your primary goes down, you should see this as an static route
> > on your standby. Also on R3 you need to see this
> > route only coming from your primary.. This route can not loadbalance
> > using this type of technology. Vpn HA together with HSRP..
> >
> > ipsec ha would make sure that when standby router comes up RRI would go
> > in to effect on this router. Not before..
> >
> >
> >
> > And, NO � you should only see one is isakmp sa on the pix, one as
> > 195.1.112.12 as peer� For r1 and r2, only the time active hsrp
> > router should ever have the vpn up at any time.
> >
> >
> >
> > I still think that you have a routing problem here, you are not matching
> > your routing to the hsrp/vpn config. You need to
> > think in a little bigger picture here that when you do when you only
> > configure vpn`s..
> >
> >
> >
> > I would still like to see your other router and pix configs too..
> >
> >
> >
> > I did not think that using only eigrp or ospf was going to solve it,
> > just found it strange you used both routing protocols for the same
networks.
> >
> >
> > Eigrp will be the only on you see in your routing table between r1, r2
> > and r3 anyway..
> >
> >
> >
> > You need to figure out why you have two isakmp as on pix, this should
> > only be one. You still need to tune your routing/hsrp config to match.
> >
> >
> >
> > Your vpn config looks good, nothing wrong with that
> >
> >
> >
> >
> >
> >
> >
> > Mvh
> >
> > Jens Petter Eikeland
> >
> > Mob 98247550
> > Hipercom AS
> > ------------------------------
> >
> > *From:* Kal Han [mailto:calikali2006@gmail.com]
> > *Sent:* 25. november 2006 02:23
> > *To:* Petr Lapukhov
> > *Cc:* Jens Petter; Groupstudy; Cisco certification
> > *Subject:* Re: Help with VPN high-availability with HSRP
> >
> >
> >
> > Hi
> >
> > Thanks for your replies.
> >
> > Here is my topology ( R1 is active )
> >
> > HSRP is enabled on the interfaces facing PIX.
> >
> > I am providing the config on PIX
> >
> >
> >
> > |-----R1-----|
> >
> > ----cat-----PIX------| |-------R3
> > |-----R2-----|
> >
> >
> >
> > I configured VPN between PIX -- R1,R2 virtual IP address.
> >
> > This is TrinetNT SuperLab-5 Section 11.3
> >
> > The question asked to redistribute the routes created by
> >
> > reverse-route using EIGRP. So I am running eigrp between
> >
> > R1, R2, R3. and redistributing static on R1 and R2.
> >
> > Even if I remove EIGRP completely and use only OSPF the
> >
> > behavior is same.
> >
> >
> >
> > I removed eigrp now and tried... now.
> >
> >
> >
> > Given my topology, R3 has two equal metric routes to reach catalyst.
> >
> > Does R3 load balance between R1 and R2 ?
> >
> > (from what I know, only one router should be used, but I dont see that
> >
> > Is there anything wrong with my hsrp config ? the "show standby" shows
> >
> > the expected output.)
> >
> > If so will both R1 and R2 have SAs with PIX meaning there will be two
> >
> > ike SAs on PIX ? ( this is what is happening )
> >
> > Or should it be only one SA to which ever is the active router ?
> >
> > I dont know this stuff. *Looks like both R1 and R2 are trying to bring*
> >
> > *up the tunnel when I ping from Cat -> R3. R1 is successful in its
> > attempt.*
> >
> > *R2 is failing.* the only debug output I get on failing router R2 is
> >
> > R2#
> > *Mar 1 00:11:23.931: IPSEC(sa_request): ,
> > (key eng. msg.) OUTBOUND local= 195.1.112.12, remote= 195.1.112.10,
> > local_proxy= 195.1.123.0/255.255.255.0/0/0 (type=4),
> > remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
> > protocol= ESP, transform= esp-des esp-sha-hmac ,
> > lifedur= 3600s and 4608000kb,
> > spi= 0xF6302F18(4130352920), conn_id= 0, keysize= 0, flags= 0x400A
> > *Mar 1 00:11:23.931: ISAKMP: received ke message (1/1)
> > *Mar 1 00:11:23.931: ISAKMP (0:0): SA request profile is (NULL)
> > *Mar 1 00:11:23.931 : ISAKMP: local port 500, remote port 500
> > *Mar 1 00:11:23.935: ISAKMP: set new node 0 to QM_IDLE
> > *Mar 1 00:11:23.935 : ISAKMP: insert sa successfully sa = 82EB5AD8
> > *Mar 1 00:11:23.935: ISAKMP (0:1): Can not start Aggressive mode,
> > trying Main mode.
> > *Mar 1 00:11:23.935: ISAKMP: Looking for a matching key for
> > 195.1.112.10 in default : success
> > *Mar 1 00:11:23.935: ISAKMP (0:1): found peer pre-shared key matching
195.1.112.10
> >
> > *Mar 1 00:11:23.
> > R2#935: ISAKMP (0:1): constructed NAT-T vendor-03 ID
> > *Mar 1 00:11:23.939: ISAKMP (0:1): constructed NAT-T vendor-02 ID
> > *Mar 1 00:11:23.939: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
> > IKE_SA_REQ_MM
> > *Mar 1 00:11:23.939: ISAKMP (0:1): Old State = IKE_READY New State =
> > IKE_I_MM1
> >
> > *Mar 1 00:11:23.939: ISAKMP (0:1): beginning Main Mode exchange
> > *Mar 1 00:11:23.939: ISAKMP (0:1): sending packet to 195.1.112.10my_port
500 peer_port 500 (I) MM_NO_STATE
> > R2#
> > *Mar 1 00:11:33.939: ISAKMP (0:1): retransmitting phase 1
> > MM_NO_STATE...
> > *Mar 1 00:11:33.939: ISAKMP (0:1): incrementing error counter on sa:
> > retransmit phase 1
> > *Mar 1 00:11:33.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
> > *Mar 1 00:11:33.939: ISAKMP (0:1): sending packet to 195.1.112.10my_port
500 peer_port 500 (I) MM_NO_STATE
> >
> >
> >
> > Should I see the static route (reverse-route) creation on both
> > active and standby routers ? I dont see the static route on the standby
> > router.
> >
> > *Ping Output on CAT in the topology looks like this*
> >
> > *when I ping R3 from CAT.*
> >
> > 3750-Switch#ping 195.1.123.3
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
> > *.!.!. ( <------------------------------------ ) *
> >
> >
> >
> >
> >
> > PIX Config
> >
> > pixfirewall(config)# sh run | in crypto
> > crypto ipsec transform-set ts esp-des esp-sha-hmac
> > crypto map cm 10 ipsec-isakmp
> > crypto map cm 10 match address vpn
> > crypto map cm 10 set peer 195.1.112.12
> > crypto map cm 10 set transform-set ts
> > crypto map cm interface outside
> > pixfirewall(config)#
> > pixfirewall(config)#
> > pixfirewall(config)# sh isak
> > isakmp enable outside
> > isakmp key ******** address 195.1.112.12 netmask 255.255.255.255
> > isakmp identity address
> > isakmp keepalive 10
> > isakmp policy 10 authentication pre-share
> > isakmp policy 10 encryption des
> > isakmp policy 10 hash md5
> > isakmp policy 10 group 2
> > isakmp policy 10 lifetime 86400
> > pixfirewall(config)#
> > pixfirewall(config)# sh cry isa sa
> > Total : 2
> > Embryonic : 1
> > dst src state pending created
> > *195.1.112.10 195.1.112.12 MM_SA_SETUP 0 0**
> > * 195.1.112.12 195.1.112.10 QM_IDLE 0 1
> > pixfirewall(config)#
> >
> >
> >
> >
> >
> > On 11/24/06, *Petr Lapukhov* < petr@internetworkexpert.com> wrote:
> >
> > Agree with Jens here, I just labbed HA scenario from scratch (HSRP/RRI)
> > and had no problems at all, actually. It does take some time for ISAKMP
> > to
> > renegotiate with standby router, but aside froml this everything works
> > fine.
> >
> > Try labbing *only* the HA scenario in most simplified environment, and
> > the debugging output when you shutdown primary router..
> >
> > 2006/11/24, Jens Petter <jenseike@start.no >:
> >
> > What do you mean by "only half of my traffic is working fine"... only
> > active
> > router
> > should send at one time. Only when you shut down primary vpn should
> > standby
> > come up after the standby hsrp comes up..
> >
> > How do this have anything to do with the standby router? :
> > *Ping Output looks like this*
> > 3750-Switch#ping 195.1.123.3
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
> > *.!.!. ( <------------------------------------ )*
> >
> > Is this on the standby router??:. Does the tunnel go up/down since you
> > are
> > getting some packets trough...
> >
> > Maybe paste in to us the vpn config on the other side also. Check
> > connectivity, Why
> > two routing protocols on the same interface?? Why don't you just red
> > that
> > static direct on to ospf..
> >
> > I think you have a much more basic problem here than a problem with HA
> >
> > Now, have you tested the vpn peering between your standby router and
> > the other side of the vpn.. Don't looks like you have good peering here.
> > When you set up HA vpn you should first test both vpn peering, make sure
> >
> > they
> > work fine and that you get your reverese route up before you start
> > configuring the HA feature..
> >
> > .
> > I have set up HA vpn`many times, have never had any problems, so please
> > show
> > your whole config. Don't think you have a problem on the side you are
> > showing here, atleast not with HA vpn... You should check why you don't
> > get
> > that reverse route out to the routing table.. and why you don't have
> > isakmp
> > peering. That is your
> > problem
> >
> >
> > Mvh
> > Jens Petter Eikeland
> > Mob 98247550
> > Hipercom AS
> >
> > -----Original Message-----
> > From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On Behalf Of
> > Kal
> > Han
> > Sent: 24. november 2006 05:36
> > To: Groupstudy; Cisco certification
> > Subject: Help with VPN high-availability with HSRP
> >
> > Hi
> > I am trying to setup VPN HA using hsrp.
> > (R1 is active router and R2 is standby )
> > after I configure everything, only half of my traffic is working fine.
> > The standby router is always the problem !
> > Out of two routers as part of ha, only one is actually able to
> > successfully
> > encrypt and decrypt the traffic. The other (standby router ) is in
> > R2#sh cry isa sa
> > dst src state conn-id slot
> > 195.1.112.10 195.1.112.12 *MM_NO_STATE* 1 0
> >
> > type of state.
> >
> > *Ping Output looks like this*
> > 3750-Switch#ping 195.1.123.3
> > Type escape sequence to abort.
> > Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
> > *.!.!. ( <------------------------------------ )*
> >
> > Not sure whats wrong, and why the second router is not able to build up
> > the
> > tunnel.
> > Has anyone seen this kind of problem ?
> >
> > I am running OSPF thru out the network, and I am using EIGRP to
> > redistribute
> > the static routes created by "reverse-route injection"
> >
> > On my active router:
> > R1#sroute stat
> > 172.16.0.0/24 is subnetted, 2 subnets
> > S 172.16.2.0 [1/0] via 195.1.112.10 *<---- from my crypto
> > access-list*
> > R1#
> >
> > *On my standby router*
> >
> > R2#sroute stat
> >
> > *R2# <<<<<<< NO static routes seen here. >>>>>>*
> >
> > I am attaching both the router configs.
> >
> > Any help is really appreciated. I tried this multiple times over the
> > period of time. I had the same problem always. I am doing something
> > wrong. I looked online help but couldnt progress much further.
> >
> > *R1#sh cry isa sa
> > dst src state conn-id slot
> > 195.1.112.12 195.1.112.10 QM_IDLE 1 0
> > *
> >
> > *R2#sh cry isa sa
> > dst src state conn-id slot
> > 195.1.112.10 195.1.112.12 MM_NO_STATE 1 0*
> >
> >
> >
> > R1#sh run
> > Building configuration...
> >
> > Current configuration : 2461 bytes
> > !
> > version 12.2
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > no service password-encryption
> > !
> > hostname R1
> > !
> > logging queue-limit 100
> > !
> > memory-size iomem 10
> > aaa new-model
> > !
> > !
> > aaa authentication login default group tacacs+
> > aaa authentication login NONE none
> > aaa authorization auth-proxy default group tacacs+
> > aaa session-id common
> > ip subnet-zero
> > !
> > !
> > no ip domain lookup
> > !
> > ip auth-proxy auth-cache-time 15
> > ip auth-proxy name AP http
> > ip audit notify log
> > ip audit po max-events 100
> > !
> > !
> > !
> > crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > group 2
> > crypto isakmp key cceisec address 195.1.112.10
> > crypto isakmp keepalive 10
> > !
> > !
> > crypto ipsec transform-set ts esp-des esp-sha-hmac
> > !
> > crypto map cm 10 ipsec-isakmp
> > set peer 195.1.112.10
> > set transform-set ts
> > match address 180
> > reverse-route
> > !
> > !
> > no voice hpi capture buffer
> > no voice hpi capture destination
> > !
> > !
> > mta receive maximum-recipients 0
> > !
> > !
> > interface Loopback0
> > ip address 11.11.11.11 255.255.255.0
> > !
> > interface FastEthernet0/0
> > ip address 195.1.123.1 255.255.255.0
> > ip ospf message-digest-key 1 md5 cciesec
> > duplex auto
> > speed auto
> > !
> > interface FastEthernet0/1
> > ip address 195.1.112.1 255.255.255.0
> > ip auth-proxy AP
> > ip ospf message-digest-key 1 md5 cciesec
> > ip ospf priority 255
> > duplex auto
> > speed auto
> > standby ip 195.1.112.12
> > standby priority 105
> > standby preempt
> > standby name HI
> > crypto map cm redundancy HI
> > !
> > router eigrp 123
> > redistribute static
> > network 195.1.112.0
> > network 195.1.123.0
> > no auto-summary
> > !
> > router ospf 1
> > router-id 11.11.11.11
> > log-adjacency-changes
> > no capability lls
> > area 0 authentication message-digest
> > network 11.11.11.0 0.0.0.255 area 0
> > network 195.1.112.0 0.0.0.255 area 0
> > network 195.1.123.0 0.0.0.255 area 0
> > !
> > ip http server
> > no ip http secure-server
> > ip classless
> > ip tacacs source-interface Loopback0
> > !
> > !
> > !
> > access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
> > !
> > tacacs-server host 195.1.112.100 key mykey
> > tacacs-server directed-request
> > radius-server authorization permit missing Service-Type
> > call rsvp-sync
> > !
> > !
> > mgcp profile default
> > !
> > dial-peer cor custom
> > !
> > !
> > line con 0
> > exec-timeout 0 0
> > logging synchronous
> > login authentication NONE
> > line aux 0
> > line vty 0 4
> > login authentication NONE
> > !
> > !
> >
> > ************************************************************
> >
> > ************************************************************
> >
> > R2#sh run
> > Building configuration...
> >
> > Current configuration : 2479 bytes
> > !
> > version 12.2
> > service timestamps debug datetime msec
> > service timestamps log datetime msec
> > no service password-encryption
> > !
> > hostname R2
> > !
> > logging queue-limit 100
> > !
> > memory-size iomem 10
> > aaa new-model
> > !
> > !
> > aaa authentication login default group tacacs+
> > aaa authentication login NONE none
> > aaa authorization auth-proxy default group tacacs+
> > aaa session-id common
> > ip subnet-zero
> > !
> > !
> > no ip domain lookup
> > !
> > ip auth-proxy auth-cache-time 15
> > ip auth-proxy name AP http
> > ip audit notify log
> > ip audit po max-events 100
> > !
> > !
> > !
> > crypto isakmp policy 10
> > hash md5
> > authentication pre-share
> > group 2
> > crypto isakmp key cceisec address 195.1.112.10
> > crypto isakmp keepalive 10
> > !
> > !
> > crypto ipsec transform-set ts esp-des esp-sha-hmac
> > !
> > crypto map cm 10 ipsec-isakmp
> > set peer 195.1.112.10
> > set transform-set ts
> > match address 180
> > reverse-route
> > !
> > !
> > !
> > no voice hpi capture buffer
> > no voice hpi capture destination
> > !
> > !
> > mta receive maximum-recipients 0
> > !
> > !
> > !
> > !
> > interface Loopback0
> > ip address 22.22.22.22 255.255.255.0
> > !
> > interface FastEthernet0/0
> > ip address 195.1.123.2 255.255.255.0
> > ip ospf message-digest-key 1 md5 cciesec
> > duplex auto
> > speed auto
> > !
> > interface Serial0/0
> > no ip address
> > shutdown
> > no fair-queue
> > !
> > interface FastEthernet0/1
> > ip address 195.1.112.2 255.255.255.0
> > ip auth-proxy AP
> > ip ospf message-digest-key 1 md5 cciesec
> > duplex auto
> > speed auto
> > standby ip 195.1.112.12
> > standby preempt
> > standby name HI
> > crypto map cm redundancy HI
> > !
> > router eigrp 123
> > redistribute static
> > network 195.1.112.0
> > network 195.1.123.0
> > no auto-summary
> > !
> > router ospf 1
> > router-id 22.22.22.22
> > log-adjacency-changes
> > no capability lls
> > area 0 authentication message-digest
> > network 22.22.22.0 0.0.0.255 area 0
> > network 195.1.112.0 0.0.0.255 area 0
> > network 195.1.123.0 0.0.0.255 area 0
> > !
> > ip http server
> > no ip http secure-server
> > ip classless
> > ip tacacs source-interface Loopback0
> > !
> > !
> > !
> > access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
> > !
> > tacacs-server host 195.1.112.100 key mykey
> > tacacs-server directed-request
> > radius-server authorization permit missing Service-Type
> > call rsvp-sync
> > !
> > !
> > mgcp profile default
> > !
> > dial-peer cor custom
> > !
> > !
> > line con 0
> > exec-timeout 0 0
> > logging synchronous
> > login authentication NONE
> > line aux 0
> > line vty 0 4
> > login authentication NONE
> > !
> > !
> > end
> >
> > R2#
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
> >
> >
> >
> > --
> > Petr Lapukhov, CCIE #16379
> > petr@internetworkexpert.com
> >
> > Internetwork Expert, Inc.
> > http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> > Toll Free: 877-224-8987
> > Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4
: Fri Dec 01 2006 - 08:05:48 ART