Skip to main content

IPsec High Availability (stateful)

Today I would like to set up HA for VPN using a bit different scenario comparing to the one from previous post:

blog-IPsec_HA_141110.png

As you see there is only one link from branch router (r5) and in the HQ the routers have the external IP from the same subnet. I can implement HSRP there and I set up the tunnel between r5 and VIP (10.1.0.100). I removed also HRSP from HQ LAN and I add RRI (Reverse Route Injection). For better user experience I add ‘stateful’ option by enabling SSO (Stateful Switchover).
Instead of two peers in crypto map on r5 we need only one IP (VIP):
 
R5(config-crypto-map)#no  set peer 10.1.0.3
R5(config-crypto-map)#no  set peer 10.3.0.4
R5(config-crypto-map)#set peer 10.1.0.100

I don’t need DPD (Dead Peer Detection) in this scenario:
 
no crypto isakmp keepalive 10 periodic

I disable HSRP on inside interfaces of r3 and r4:
 
R3(config)#int fa0/0
R3(config-if)#no standby 1

R4(config)#int fa0/0
R4(config-if)#no standby 1

I have to enable HRSP on outside interfaces of r3 and r4 and then I add VIP (10.1.0.100):
 
R3#sh run int fa1/0
Building configuration...

Current configuration : 284 bytes
!
interface FastEthernet1/0
 ip address 10.1.0.3 255.255.255.0
 standby 10 ip 10.1.0.100
 standby 10 priority 105
 standby 10 preempt
 standby 10 name VPN
 standby 10 track 1 decrement 10
 standby 10 track 2 decrement 10
 speed auto
 duplex auto
 crypto map MAPA redundancy VPN
end

R3#

R3#sh standby
FastEthernet1/0 - Group 10
  State is Active
    5 state changes, last state change 00:02:38
  Virtual IP address is 10.1.0.100
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 2.064 secs
  Preemption enabled
  Active router is local
  Standby router is 10.1.0.4, priority 100 (expires in 11.072 sec)
  Priority 105 (configured 105)
    Track object 1 state Up decrement 10
    Track object 2 state Up decrement 10
  Group name is "VPN" (cfgd)
R3#

 
R4#sh run int fa0/1
Building configuration...

Current configuration : 259 bytes
!
interface FastEthernet0/1
 ip address 10.1.0.4 255.255.255.0
 standby 10 ip 10.1.0.100
 standby 10 preempt
 standby 10 name VPN
 standby 10 track 3 decrement 10
 standby 10 track 4 decrement 10
 speed auto
 duplex auto
 crypto map MAPA redundancy VPN
end

R4#

R4#sh standby
FastEthernet0/1 - Group 10
  State is Standby
    4 state changes, last state change 00:02:45
  Virtual IP address is 10.1.0.100
  Active virtual MAC address is 0000.0c07.ac0a
    Local virtual MAC address is 0000.0c07.ac0a (v1 default)
  Hello time 3 sec, hold time 10 sec
    Next hello sent in 0.880 secs
  Preemption enabled
  Active router is 10.1.0.3, priority 105 (expires in 8.256 sec)
  Standby router is local
  Priority 100 (default 100)
    Track object 3 state Up decrement 10
    Track object 4 state Up decrement 10
  Group name is "VPN" (cfgd)
R4#

In HQ’s LAN I enable OSPF and R2 will learn the route towards R6 from active VPN peer:
 
R3#sh run | s crypto map
crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.5
 set transform-set TS
 match address 101
 reverse-route
 crypto map MAPA redundancy VPN
R3#

and then the static route will be redistributed to r2:
 
R3#sh run | s router ospf
router ospf 1
 redistribute static subnets
 network 10.2.0.0 0.0.0.255 area 0
R3#

The same on r4:
 
R4#sh run | s crypto map
crypto map MAPA 10 ipsec-isakmp
 set peer 10.1.0.5
 set transform-set TS
 match address 101
 reverse-route
 crypto map MAPA redundancy VPN
R4#

R4#sh run | s router ospf
router ospf 1
 redistribute static subnets
 network 10.2.0.0 0.0.0.255 area 0
R4#

Let’s test the default scenario (r5-r3 -> primary):

1) check the current routing table on r2:
 
r2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/24 is subnetted, 1 subnets
C       10.2.0.0 is directly connected, FastEthernet1/0
r2#

2) send traffic from r6->r2:
 
R6#ping 10.2.0.2 repeat 100
Type escape sequence to abort.
Sending 100, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Success rate is 97 percent (97/100), round-trip min/avg/max = 52/81/128 ms
R6

3) check VPN status on r3:
 
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.0.100      10.1.0.5        QM_IDLE           1004 ACTIVE

IPv6 Crypto ISAKMP SA


R3#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet1/0
Uptime: 00:00:23
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.1.0.5
      Desc: (none)
  IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
          Capabilities:(none) connid:1004 lifetime:23:59:36
  IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 99 drop 0 life (KB/Sec) 4164529/3576
        Outbound: #pkts enc'ed 97 drop 0 life (KB/Sec) 4164529/3576

R3#

4) check VPN status on r5:
 
R5#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.0.100      10.1.0.5        QM_IDLE           1007 ACTIVE

IPv6 Crypto ISAKMP SA

R5#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Uptime: 00:01:55
Session status: UP-ACTIVE
Peer: 10.1.0.100 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.1.0.100
      Desc: (none)
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.100/500 Active
          Capabilities:(none) connid:1007 lifetime:23:58:03
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 1173 drop 0 life (KB/Sec) 4255144/3484
        Outbound: #pkts enc'ed 1217 drop 0 life (KB/Sec) 4255144/3484

R5#

5) check VPN status on r4 (backup):
 
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status

IPv6 Crypto ISAKMP SA

R4#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Session status: DOWN
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
        Active SAs: 0, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0

R4#

6) check the current routing table on r2:
 
r2#sh ip route
Codes: C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route

Gateway of last resort is not set

     10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C       10.2.0.0/24 is directly connected, FastEthernet1/0
O E2    10.0.0.6/32 [110/20] via 10.2.0.3, 00:03:43, FastEthernet1/0
r2#

As we see everything looks good. Traffic initiated from r6 towards r2 brought up the backup vpn tunnel. Let’s test now what happens when r3 fails:

1) send traffic from r2 towards r6:
 
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!......................

2) check status on r3
 
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.0.100      10.1.0.5        QM_IDLE           1005 ACTIVE

IPv6 Crypto ISAKMP SA

R3#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet1/0
Uptime: 00:00:09
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.1.0.5
      Desc: (none)
  IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
          Capabilities:(none) connid:1005 lifetime:23:59:49
  IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 60 drop 0 life (KB/Sec) 4305992/3590
        Outbound: #pkts enc'ed 58 drop 0 life (KB/Sec) 4305992/3590

R3#

3) check status on r5
 
R5#sh crypto session
Crypto session current status

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.1.0.100 port 500
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.100/500 Active
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 2, origin: crypto map

R5#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Uptime: 00:00:28
Session status: UP-ACTIVE
Peer: 10.1.0.100 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.1.0.100
      Desc: (none)
  IKEv1 SA: local 10.1.0.5/500 remote 10.1.0.100/500 Active
          Capabilities:(none) connid:1008 lifetime:23:59:30
  IPSEC FLOW: permit ip host 10.0.0.6 host 10.2.0.2
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 201 drop 0 life (KB/Sec) 4270150/3571
        Outbound: #pkts enc'ed 207 drop 0 life (KB/Sec) 4270149/3571

R5#

4) shutdown fa0/0 on r3:
 
R3#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
R3(config)#int fa0/0
R3(config-if)#sh
R3(config-if)#
*Nov 10 18:10:17.651: %TRACKING-5-STATE: 1 interface Fa0/0 line-protocol Up->Down
*Nov 10 18:10:17.687: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.2 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Nov 10 18:10:17.691: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.4 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R3(config-if)#
*Nov 10 18:10:19.183: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 10 state Active -> Speak
R3(config-if)#
*Nov 10 18:10:19.647: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Nov 10 18:10:20.647: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
R3(config-if)#
*Nov 10 18:10:30.671: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 10 state Speak -> Standby
R3(config-if)#

5) check status on r4 (backup):
 
R4#
*Nov 10 18:10:18.567: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 10 state Standby -> Active
R4#
*Nov 10 18:10:19.083: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.1.0.100, prot=50, spi=0x33C217B(54272379), srcaddr=10.1.0.5, input interface=FastEthernet0/1
R4#
*Nov 10 18:10:31.107: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.1.0.5 has no SA and is not an initialization offer
R4#
*Nov 10 18:10:49.483: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.3 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R4#
R4#


R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.0.100      10.1.0.5        QM_IDLE           1004 ACTIVE

IPv6 Crypto ISAKMP SA

R4#sh crypto ses
R4#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Uptime: 00:02:43
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.1.0.5
      Desc: (none)
  IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
          Capabilities:(none) connid:1004 lifetime:23:57:15
  IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 715 drop 0 life (KB/Sec) 4193885/3436
        Outbound: #pkts enc'ed 696 drop 0 life (KB/Sec) 4193888/3436

R4#

6) check once again ping on r6:
 
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!.................................
.....!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!.!!!!!!!!!!!!!!!!!!
Success rate is 93 percent (935/1000), round-trip min/avg/max = 32/83/176 ms
R6#

As we see the switchover took a while and I lost 39 packets. I enabled the fa0/0 interface on r3 to check how long it takes:
 
R3(config-if)#no sh
R3(config-if)#
*Nov 10 18:15:46.195: %TRACKING-5-STATE: 1 interface Fa0/0 line-protocol Down->Up
R3(config-if)#
*Nov 10 18:15:47.603: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 10 state Standby -> Active
*Nov 10 18:15:47.787: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=10.1.0.100, prot=50, spi=0xA1D3FE53(2715024979), srcaddr=10.1.0.5, input interface=FastEthernet1/0
R3(config-if)#
*Nov 10 18:15:48.183: %LINK-3-UPDOWN: Interface FastEthernet0/0, changed state to up
*Nov 10 18:15:49.183: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to up
R3(config-if)#
*Nov 10 18:15:53.963: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.2 on FastEthernet0/0 from LOADING to FULL, Loading Done
*Nov 10 18:15:54.139: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.4 on FastEthernet0/0 from LOADING to FULL, Loading Done
R3(config-if)#
*Nov 10 18:16:01.727: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.1.0.5 has no SA and is not an initialization offer
R3(config-if)#

and as you see I lost 41 packets:
 
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!........................
...............!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!.!!!!!!!!!!!!!!!!!!!!!!!

The main problem is time required to build the tunnel on the 2nd node:
 
*Nov 10 18:10:31.107: %CRYPTO-4-IKMP_NO_SA: IKE message from 10.1.0.5 has no SA and is not an initialization offer

and we have to wait till the initialization starts.
We can add stateful feature to keep both tunnels up and the switchover should be much faster. Let’s check what is required to accomplish it.
I discovered I can’t implement IPC on my software:
 
R3(config)#ipc ?
  buffers       Resize ipc buffer pool
  header-cache  Resize IPC Permanent cache
  holdq         Configure IPC holdq parameters
  zone          Configure an IPC Zone

R3(config)#ipc z
R3(config)#ipc zone ?
  default  Configure the default Zone

R3(config)#ipc zone d
R3(config)#ipc zone default
R3(config-ipczone)#as
R3(config-ipczone)#association 1
R3(config-ipczone-assoc)#pr
R3(config-ipczone-assoc)#pr?
% Unrecognized command
R3(config-ipczone-assoc)#?
IPC Association Config commands
  exit      Exit IPC Association config mode
  no        Negate a command or set its defaults
  shutdown  Shutdown this association

R3(config-ipczone-assoc)#

I can’t enable 'redundancy inter-device’ too:
 
R3(config)#red?
redirect

R3(config)#red

I have to change software on r3 and r4. The current version is:
 
R3#sh ver
Cisco IOS Software, 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Fri 28-Sep-12 14:39 by prod_rel_team

ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-ADVENTERPRISEK9-M), Version 15.2(4)S1, RELEASE SOFTWARE (fc1)

R3 uptime is 1 hour, 42 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
Last reload reason: unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19

The new one:
 
R4#sh ver
Cisco IOS Software, 7200 Software (C7200-ADVSECURITYK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Wed 07-Nov-12 18:15 by prod_rel_team

ROM: ROMMON Emulation Microcode
BOOTLDR: 7200 Software (C7200-ADVSECURITYK9-M), Version 15.2(4)M2, RELEASE SOFTWARE (fc2)

R4 uptime is 44 minutes
System returned to ROM by unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19
System image file is "tftp://255.255.255.255/unknown"
Last reload reason: unknown reload cause - suspect boot_data[BOOT_COUNT] 0x0, BOOT_COUNT 0, BOOTDATA 19

On r3 and r4 I have to add SSO:
 
!
ipc zone default
 association 1
  no shutdown
  protocol sctp
   local-port 5000
    local-ip 10.1.0.4
   remote-port 5000
    remote-ip 10.1.0.3
!

and redundancy:
 
!
redundancy inter-device
 scheme standby VPN
!

The crypto map has to be applied with additional parameter:
 
interface FastEthernet0/1
 crypto map MAPA redundancy VPN stateful
!

Let’s test it once again:

1) send traffic
 
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
.!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.
Success rate is 99 percent (448/450), round-trip min/avg/max = 32/83/156 ms
R6#

2) check the VPN status on r3:
 
R3#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.0.100      10.1.0.5        QM_IDLE           1002 ACTIVE

IPv6 Crypto ISAKMP SA

R3#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet1/0
Uptime: 00:00:13
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
      Phase1_id: 10.1.0.5
      Desc: (none)
  IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
          Capabilities:(none) connid:1002 lifetime:23:59:45
  IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 139 drop 0 life (KB/Sec) 4187230/3586
        Outbound: #pkts enc'ed 138 drop 0 life (KB/Sec) 4187230/3586

R3#

3) check the VPN status on r4:
 
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.0.100      10.1.0.5        QM_IDLE           1002 STDBY

IPv6 Crypto ISAKMP SA

R4#sh crypto session detail
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Session status: UP-STANDBY
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
          Capabilities:(none) connid:1002 lifetime:23:59:32
  IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 0 drop 0 life (KB/Sec) 3788414/3573
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4249214/3573

R4#

As you see the backup tunnel is up and ready to take control (UP-STANDBY). Let’s disable one interface on r3:
 
R6#ping 10.2.0.2 repeat 1000
Type escape sequence to abort.
Sending 1000, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
......!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!.UUUUU....................!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!
Success rate is 85 percent (193/225), round-trip min/avg/max = 44/79/124 ms
R6#

on r3 I shutdown fa0/0 interface:
 
R3(config)#int fa0/0
R3(config-if)#sh
R3(config-if)#
*Nov 10 20:16:02.991: %TRACKING-5-STATE: 1 interface Fa0/0 line-protocol Up->Down
*Nov 10 20:16:03.023: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.2 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
*Nov 10 20:16:03.027: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.4 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Interface down or detached
R3(config-if)#
*Nov 10 20:16:04.987: %LINK-5-CHANGED: Interface FastEthernet0/0, changed state to administratively down
*Nov 10 20:16:05.315: %HSRP-5-STATECHANGE: FastEthernet1/0 Grp 10 state Active -> Speak
*Nov 10 20:16:05.447: %RF-5-RF_RELOAD: Self reload. Reason: Not in correct state for becoming Standby
*Nov 10 20:16:05.451: %RF_INTERDEV-4-RELOAD: % RF induced self-reload. my state = ACTIVE peer state = STANDBY HOT
*Nov 10 20:16:05.987: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/0, changed state to down
R3(config-if)#

              ROM: reload requested...
 
 
 
R4#
*Nov 10 20:16:05.491: %HSRP-5-STATECHANGE: FastEthernet0/1 Grp 10 state Standby -> Active
*Nov 10 20:16:05.659: %CRYPTO-5-IKE_SA_HA_STATUS: IKE sa's if any, for vip  10.1.0.100 will change from STANDBY to ACTIVE
*Nov 10 20:16:05.663: %CRYPTO-5-IPSEC_SA_HA_STATUS: IPSec sa's if any, for vip  10.1.0.100 will change from STANDBY to ACTIVE
R4#
R4#
*Nov 10 20:16:21.519: %DUAL-5-NBRCHANGE: EIGRP-IPv4 10: Neighbor 10.1.0.3 (FastEthernet0/1) is down: holding time expired
R4#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
10.1.0.100      10.1.0.5        QM_IDLE           1001 ACTIVE

IPv6 Crypto ISAKMP SA

R4#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
          Capabilities:(none) connid:1001 lifetime:23:59:18
  IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 11 drop 0 life (KB/Sec) 3737248/3569
        Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 4198050/3569

R4#
*Nov 10 20:16:39.283: %OSPF-5-ADJCHG: Process 1, Nbr 10.2.0.3 on FastEthernet0/0 from FULL to DOWN, Neighbor Down: Dead timer expired
R4#
R4#
R4#sh crypto session d
Crypto session current status

Code: C - IKE Configuration mode, D - Dead Peer Detection
K - Keepalives, N - NAT-traversal, T - cTCP encapsulation
X - IKE Extended Authentication, F - IKE Fragmentation

Interface: FastEthernet0/1
Session status: UP-ACTIVE
Peer: 10.1.0.5 port 500 fvrf: (none) ivrf: (none)
      Desc: (none)
      Phase1_id: (none)
  IKEv1 SA: local 10.1.0.100/500 remote 10.1.0.5/500 Active
          Capabilities:(none) connid:1001 lifetime:23:58:54
  IPSEC FLOW: permit ip host 10.2.0.2 host 10.0.0.6
        Active SAs: 2, origin: crypto map
        Inbound:  #pkts dec'ed 111 drop 0 life (KB/Sec) 3737233/3545
        Outbound: #pkts enc'ed 92 drop 0 life (KB/Sec) 4198036/3545

R4#

As we see the switchover works fine and after 26 lost packets the backup tunnel was enabled. The 'stateful’ feature keeps active sessions on both nodes, so users don’t lose their sessions.
More information you can find here: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-ipsec/white_paper_c11_472859.html

Comments

Popular posts from this blog

What should you know about HA 'override enabled' setting on Fortigate?

High availability is mandatory in most of today's network designs. Only very small companies or branches can run their business without redundancy. When you have Fortigate firewall in your network you have many options to increase network availability. You can use Fortigate Clustering Protocol ( FGCP ) or Virtual Router Redundancy Protocol ( VRRP ). FGCP has two modes: 'override' disabled (default) and 'override' enabled . I'm not going to explain how to set up HA as you can find many resources on Fortinet websites: https://cookbook.fortinet.com/high-availability-two-fortigates-56/ https://cookbook.fortinet.com/high-availability-with-fgcp-56/ Let's recap what is the main difference between them. The default HA setting is 'override' disabled and this is an order of selection an active unit: 1) number of monitored interfaces - when both units have the same number of working (up) interfaces check next parameter 2) HA uptime - an ...

FortiGate and GRE tunnel

Recently I worked on one project where a client requested to re-route web traffic to the GRE tunnel to perform traffic inspection. I would like to share with you what is required if you configure it on FortiGate. We need a new GRE interface and policy base routing (PBR) to change the route for specific source IPs. Of course you need firewall policies to permit the traffic. Let's start with GRE interface. Unfortunately you can't configure it using the GUI, only CLI is the option: config system gre-tunnel edit "gre1" set interface "port1" set local-gw 55.55.55.55 set remote-gw 44.44.44.44 next end When the end peer is Cisco router, you need to set the IP for the GRE interface: config system interface edit gre1 set ip 192.168.10.10 255.255.255.255 set remote-ip192.168.10.20 end In next step we need to fix routing. We need the alternate path via GRE but to keep the route in the active routing table you need to set the same AD (adminis...

Inpection of asymmetric sessions on FortiGate

There is one feature available on FortiGate, and I think you should know it, as it modifies a bit what we know about stateful firewalls. In past every packet was treated individually and you had to create policies in both directions. With stateful firewalls we can track connections, and by checking couple of attributes, we can treat them as part of the same session. For example when you initiate connection from a host1 to host2, the returning connection from host2 to host1 will be treated as part of the same connection (session). They have to have the same source/destination and destination/source IPs, port numbers and interfaces.There is an exception from this rule and FortiGate in some specific cases can accept connections on port which was not used in the initial connection. Let me explain how it works on the below example:      The host1 has a default gateway on R1 (10.0.1.2), but you may notice that it is not the optimal path to host2 subnet. When we analyze ...