Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1460
Views
0
Helpful
1
Replies

Cisco ACE with IPSEC loadbalancing issue...

raval.hardik
Level 1
Level 1

‎04-28-2012 03:56 AM

Hi,

I had configured ACE for loadbalanc IPSEC traffic to my VPN Router. For IPSEC to work configured with leastconns with ip base stickyness  and running software version A2(3.4). I am facing following issue :

My configuration is working fine in normal condition but if one of my VPN router reboots all connections shifted to remaining VPN router but when VPN router comes backup connections are not loadbalance properly. i.e. new IPSEC connection not following sticky database for second connections (check below output) of the same ip and giving issue in establishing IPSEC connectivity.

switch# sh sticky database client 10.239.7.52

sticky group : STIK-FRM

type         : IP

timeout      : 1440          timeout-activeconns : FALSE

  sticky-entry          rserver-instance                 time-to-expire flags

  ---------------------+--------------------------------+--------------+-------+

  10.239.7.52           CISCO-7206-06:0                  65130          -

switch# show conn | i 10.239.7.52

763980     2  in  UDP   90   10.239.7.52:4500      10.250.226.19:4500    --

813704     2  out UDP   9    10.250.226.4:4500     10.239.7.52:29651     --

2992430    2  in  UDP   90   10.239.7.52:500       10.250.226.19:500     --

2858073    2  out UDP   9    10.250.226.6:500      10.239.7.52:1441      --

Thanking You...

Labels:
0 Helpful
1 Reply 1

gaursin2
Level 1
Level 1

‎05-02-2012 06:46 PM

hi

pls provide the entire confiugration so that we can see parameters realted to timeout settings for connection and sticky in your device and also sticky configuration (i beleive you have used netmask of 32 for souce only sticky).

from output we can see UDP 500 and udp 4500 are getting loadbalance....can we paralelly check the connection detail for these two connection (detail will provide the timeout parameters).

what I guess happened is STICKY timeout happens for this client (entry wil be their because connection has not timeout), and new conection (port 500 isakmp) will get loadbalance and will not see sticky...

just a theory right now, need details of config for any conclusion

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card