the standby supervisor learns from the active supervisor all the routing information this is the meaning of stateful.
So when switchover happens the standby doesn't start from nothing but takes control of linecards and attempts to pretend to be the same device with all neighbors
"Configuration information and data structures are synchronized from the active to the redundant supervisor engine at startup and whenever changes to the active supervisor engine configuration occur. Following an initial synchronization between the two supervisor engines, SSO maintains state information between them, including forwarding information.
During switchover, system control and routing protocol execution is transferred from the active supervisor engine to the redundant supervisor engine. The switch requires between 0 and 3 seconds to switchover from the active to the redundant supervisor engine."
Otherwise it would take much longer to perform switchover as happens with other redundancy strategies like RPR and RPR+
Think they have a communication channel (a socket )between them to report all info.
Hope to help
Just bought new 3925 for IPsec-SSO.
Anyone try IPSEC with SSO on 3925 IOS 15.2 (or 15.4) , I spent almost two weeks (follow instruction as attached whitepaper) but no luck. This is instruction is ok with cisco3725 (IOS 12.4).
But when I tried on 3925, the standby router seem to delete IPsec SA that received from HA Manager.
I've show redundancy states , show redundancy inter-device and debug result on standby router(VPN2)...as below..
VPN2#sh redundancy states
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is hardware calendar, *15:54:06.591 BKK Wed Oct 22 2014
my state = 8 -STANDBY HOT
peer state = 13 -ACTIVE
Mode = Duplex
Unit ID = 0
Maintenance Mode = Disabled
Manual Swact = cannot be initiated from this the standby unit
Communications = Up
client count = 15
client_notification_TMR = 60000 milliseconds
RF debug mask = 0x0
VPN2#sh redundancy inter-device
Load for five secs: 1%/0%; one minute: 0%; five minutes: 0%
Time source is hardware calendar, *15:54:12.599 BKK Wed Oct 22 2014
Redundancy inter-device state: RF_INTERDEV_STATE_STDBY
Groupname: ha-out Group State: Standby
Peer present: RF_INTERDEV_PEER_COMM
Security: Not configured
|*Oct 22 08:27:24.359: Processing HA Message 0:|
|*Oct 22 08:27:24.359: IPSec HA: Got bundle insert msg|
|*Oct 22 08:27:24.359: IPSec HA (crypto_ha_ipsec_mgr_recv_add_sas): HA mgr wants to insert the following bundle|
|*Oct 22 08:27:24.359: IPSEC(key_engine): got a queue event with 1 KMI message(s)|
|*Oct 22 08:27:24.359: Crypto mapdb : proxy_match|
|src addr : 172.16.255.0|
|dst addr : 188.8.131.52|
|protocol : 256|
|src port : 0|
|dst port : 0|
|*Oct 22 08:27:24.359: IPSEC(crypto_ipsec_create_ipsec_sas): Map found dynmap, 1|
|*Oct 22 08:27:24.359: IPSec HA (crypto_ha_ipsec_notify_delete_sa): called|
|*Oct 22 08:27:24.359: IPSec HA (crypto_ha_ipsec_notify_delete_sa): operation not performed as standby|
|*Oct 22 08:27:24.359: IPSEC(get_old_outbound_sa_for_peer): No outbound SA found for peer 154E9BCC|
|*Oct 22 08:27:24.359: IPSEC(update_current_outbound_sa): updated peer 10.11.64.10 current outbound sa to SPI 0|
|*Oct 22 08:27:24.359: IPSEC(send_delete_notify_kmi): ASSERT FAILED: Decrement count mismatch for sibling :10553F0|
|*Oct 22 08:27:24.359: IPSEC(send_delete_notify_kmi): not sending KEY_ENGINE_DELETE_SAS|
|*Oct 22 08:27:24.359: IPSEC(ident_send_delete_notify_kmi): not in msg context Ident Delete SA msg: 0|
|VPN2#sh cry is sa|
|Load for five secs: 2%/0%; one minute: 1%; five minutes: 0%|
|Time source is hardware calendar, *15:27:36.679 BKK Wed Oct 22 2014|
|IPv4 Crypto ISAKMP SA|
|dst src state conn-id status|
|192.168.200.85 10.11.64.10 QM_IDLE 29006 STDBY|
|IPv6 Crypto ISAKMP SA|
|VPN2#sh cry ipsec sa|
|Load for five secs: 1%/0%; one minute: 1%; five minutes: 0%|
|Time source is hardware calendar, *15:27:43.071 BKK Wed Oct 22 2014|
|VPN2#sh cry map|
|Load for five secs: 0%/0%; one minute: 1%; five minutes: 0%|
|Time source is hardware calendar, *15:27:45.615 BKK Wed Oct 22 2014|
|Crypto Map IPv4 "ha_dynamic" 1 ipsec-isakmp|
|Dynamic map template tag: dynmap|
|Interfaces using crypto map ha_dynamic:|
|Group: ha-out, Type: Stateful HA, VIP: 192.168.200.85|
|Replay-interval: inbound:10 outbound:10000|
pls let me know if you have idea or required details.
Thanks in advances.
SSO allows you to keep all Line Card interfaces UP/UP during the switchover so your neighbors will not bring down their routing adj because of an interface flap.
SSO is associated to NSR (Non Stop Routing) which freezes the cef table on the LC. As a reminder all the transit traffic is switched by the LC. So NSR allows a de-synchronization between the control plane and the forwarding plane during the switchover. It's important because you lost your control plane during the switchover.
The last piece is GR support of IGP/BGP and LDP so when your standby becomes active, it will request the help of its routing peers to re-build its control plane without dropping the adj
You need all those pieces to achieve 0-3s packets lost during a switchover. NSR is activated as soon as SSO is UP and Running but you need to configure GR for your routing protocols.
I configured SSO on a 3925 IOS 15.1 using a doc that wat titled Stateful Failover for IPsec. I am not using IPsec so I did not configure the IPsec part. However, my goal is maintain state information between my two routers in an active/standby pairing. The routers both are configured for NAT so the standby must maintain the state informatio present on the active router. Will SSO provide what I seek? I can not seem to find any information in SSO for 3900 ISR routers that dont include IPsec.
On those lower platform, SSO is per feature only. So SSO for IPSec can't be used for other feature like NAT. For NAT we used to have SNAT (Stateful NAT) but it has been deprecated and SNAT is now only supported on ASA paltform