Showing results for 
Search instead for 
Did you mean: 
Rising star

Stateful Switchover SSO


I have SSO configured on my router. What if my primary RP went down; will it affect my IGP/BGP as well as MPLS LDP? Will LDP have to learn all the new labels or not?


Devang Patel

Hall of Fame Expert

Re: Stateful Switchover SSO

Hello Devang,

the standby supervisor learns from the active supervisor all the routing information this is the meaning of stateful.

So when switchover happens the standby doesn't start from nothing but takes control of linecards and attempts to pretend to be the same device with all neighbors


"Configuration information and data structures are synchronized from the active to the redundant supervisor engine at startup and whenever changes to the active supervisor engine configuration occur. Following an initial synchronization between the two supervisor engines, SSO maintains state information between them, including forwarding information.

During switchover, system control and routing protocol execution is transferred from the active supervisor engine to the redundant supervisor engine. The switch requires between 0 and 3 seconds to switchover from the active to the redundant supervisor engine."

Otherwise it would take much longer to perform switchover as happens with other redundancy strategies like RPR and RPR+

Think they have a communication channel (a socket )between them to report all info.

Hope to help



Hi,   Just bought new 3925


  Just bought new 3925 for IPsec-SSO. 

   Anyone try IPSEC with SSO on 3925 IOS 15.2 (or 15.4) , I spent almost two weeks (follow instruction as attached whitepaper) but no luck.  This is instruction is ok with cisco3725 (IOS 12.4).

   But when I tried on 3925, the standby router seem to delete IPsec SA that received from HA Manager. 


   I've show redundancy states , show redundancy inter-device    and debug result on standby router(VPN2) below..

VPN2#sh redundancy states
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is hardware calendar, *15:54:06.591 BKK Wed Oct 22 2014
       my state = 8  -STANDBY HOT
     peer state = 13 -ACTIVE
           Mode = Duplex
        Unit ID = 0

     Maintenance Mode = Disabled
    Manual Swact = cannot be initiated from this the standby unit
 Communications = Up

   client count = 15
 client_notification_TMR = 60000 milliseconds
           RF debug mask = 0x0  

VPN2#sh redundancy inter-device
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is hardware calendar, *15:54:12.599 BKK Wed Oct 22 2014

Redundancy inter-device state: RF_INTERDEV_STATE_STDBY
  Scheme: Standby
      Groupname: ha-out Group State: Standby
  Security: Not configured


*Oct 22 08:27:24.359: Processing HA Message 0:
*Oct 22 08:27:24.359: IPSec HA: Got bundle insert msg
*Oct 22 08:27:24.359: IPSec HA (crypto_ha_ipsec_mgr_recv_add_sas): HA mgr wants to insert the following bundle
*Oct 22 08:27:24.359: IPSEC(key_engine): got a queue event with 1 KMI message(s)
*Oct 22 08:27:24.359: Crypto mapdb : proxy_match
        src addr     :
        dst addr     :
        protocol     : 256
        src port     : 0
        dst port     : 0
*Oct 22 08:27:24.359: IPSEC(crypto_ipsec_create_ipsec_sas): Map found dynmap, 1
*Oct 22 08:27:24.359: IPSec HA (crypto_ha_ipsec_notify_delete_sa): called
*Oct 22 08:27:24.359: IPSec HA (crypto_ha_ipsec_notify_delete_sa): operation not performed as standby
*Oct 22 08:27:24.359: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 154E9BCC
*Oct 22 08:27:24.359: IPSEC(update_current_outbound_sa): updated peer current outbound sa to SPI 0
*Oct 22 08:27:24.359: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :10553F0
*Oct 22 08:27:24.359: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS
*Oct 22 08:27:24.359: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0
VPN2#sh cry is sa
Load for five secs: 2%/0%; one minute: 1%; five minutes: 0%
Time source is hardware calendar, *15:27:36.679 BKK Wed Oct 22 2014
dst             src             state          conn-id status     QM_IDLE          29006 STDBY 
VPN2#sh cry ipsec sa
Load for five secs: 1%/0%; one minute: 1%; five minutes: 0%
Time source is hardware calendar, *15:27:43.071 BKK Wed Oct 22 2014
VPN2#sh cry map
Load for five secs: 0%/0%; one minute: 1%; five minutes: 0%
Time source is hardware calendar, *15:27:45.615 BKK Wed Oct 22 2014
Crypto Map IPv4 "ha_dynamic" 1 ipsec-isakmp
        Dynamic map template tag: dynmap
        Interfaces using crypto map ha_dynamic:
        Redundancy Status:
                Group: ha-out,  Type: Stateful HA,  VIP:
                Replay-interval: inbound:10  outbound:10000


   pls let me know if you have idea or required details.


Thanks in advances.





Cisco Employee

Re: Stateful Switchover SSO

Hi Devang,

SSO allows you to keep all Line Card interfaces UP/UP during the switchover so your neighbors will not bring down their routing adj because of an interface flap.

SSO is associated to NSR (Non Stop Routing) which freezes the cef table on the LC. As a reminder all the transit traffic is switched by the LC. So NSR allows a de-synchronization between the control plane and the forwarding plane during the switchover. It's important because you lost your control plane during the switchover.

The last piece is GR support of IGP/BGP and LDP so when your standby becomes active, it will request the help of its routing peers to re-build its control plane without dropping the adj

You need all those pieces to achieve 0-3s packets lost during a switchover. NSR is activated as soon as SSO is UP and Running but you need to configure GR for your routing protocols.




Stateful Switchover SSO

I configured SSO on a 3925 IOS 15.1 using a doc that wat titled Stateful Failover for IPsec.  I am not using IPsec so I did not configure the IPsec part.  However, my goal is maintain state information between my two routers in an active/standby pairing.  The routers both are configured for NAT so the standby must maintain the state informatio present on the active router.  Will SSO provide what I seek?  I can not seem to find any information in SSO for 3900 ISR routers that dont include IPsec.

Plase advise.

Cisco Employee

Stateful Switchover SSO


On those lower platform, SSO is per feature only. So SSO for IPSec can't be used for other feature like NAT. For NAT we used to have SNAT (Stateful NAT) but it has been deprecated and SNAT is now only supported on ASA paltform




Stateful Switchover SSO

Dear Devang,

Laurent & Giuseppe are right.


Nirav Patel

CreatePlease to create content
Content for Community-Ad
August's Community Spotlight Awards