Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
425
Views
0
Helpful
2
Replies

HSRP standby RA-VPN not giving access to internal resources!

Menon
Level 1
Level 1

ā€Ž01-29-2023 10:27 AM - edited ā€Ž01-29-2023 10:29 AM

Dear Team,

I have implemented Hot Standby Router Protocol (HSRP) on two routers, each with an uplink to the Internet Service Provider (ISP). I have also configured Secure Sockets Layer Virtual Private Network (SSL-VPN(anyconnect)) on both routers and I am able to access internal resources while connecting to the active router SSL-VPN.

However, I am facing an issue while connecting to the standby SSL-VPN, as I am unable to access internal resources(10.5.6.x/24). This issue arises even i switch the HSRP(standby router VPN is not providing the access to internal resouces(10.5.6.x/24)). Ultimate goal is to get the access to my 10.5.6.0/24 n/w which connecting to the VPN(17.25.185.18:3443)

I would like to seek your assistance in resolving this issue and setting up the standby router VPN for access to internal resources. Can you please advise what could be the problem and how it can be resolved?

Thank you for your prompt attention to this matter.

Please find the standby router configurations!
 

 

 

SSL-VPN configuration on standby router #R2

crypto pki trustpoint 247_TRUST_POINT
 enrollment selfsigned
 serial-number
 subject-name CN=247rack-certificate
 revocation-check crl
 rsakeypair 247_RSA_KEYS
!         
crypto pki trustpoint SLA-TrustPoint
 revocation-check crl
! 
crypto ssl proposal SSL_VPN_PROPOSAL 
 protection rsa-3des-ede-sha1 rsa-rc4128-md5 rsa-aes128-sha1 rsa-aes256-sha1
!         
crypto ssl authorization policy SSL_VPN_AUTH_POLICY 
 pool WEB_VPN_POOL
 def-domain example.com
 route set access-list SPLIT
!         
crypto ssl policy SSL_VPN_POLICY 
 ssl proposal SSL_VPN_PROPOSAL
 pki trustpoint 247_TRUST_POINT sign
 ip address local 17.25.185.18 port 3443
!         
crypto ssl profile SSL_VPN_PROFILE 
 match policy SSL_VPN_POLICY 
 aaa authentication user-pass list WEB_VPN 
 aaa authorization group user-pass list WEB_VPN SSL_VPN_AUTH_POLICY 
 authentication remote user-pass 
 max-users 100
!
ip local pool WEB_VPN_POOL 10.5.6.111 10.5.6.120

 

 

I gave the ISP IP as VPN-IP for both routers

 

 

R2#sho run int g1
Building configuration...

Current configuration : 323 bytes
!
interface GigabitEthernet1
 ip flow monitor 247MONITOR input
 ip flow monitor 247MONITOR output
 ip address 17.25.185.18 255.255.255.252
 ip nbar protocol-discovery
 ip access-group WAN_IN in
 negotiation auto
 ipv6 address 2706:D408:DA1:1::2/64
 ipv6 traffic-filter v6BLOCK-SMTP in
 no mop enabled
 no mop sysid
end

 

 

 ACL-configuration:

 

 

ip access-list extended WAN_IN
 10 permit ip object-group MGMT_IPS object-group NATIVE_IPS
 20 deny   tcp any object-group NATIVE_IPS eq www log
 30 deny   tcp any object-group NATIVE_IPS eq 443 log
 40 deny   ip 192.168.0.0 0.0.255.255 any log
 50 deny   ip 10.0.0.0 0.255.255.255 any log
 60 deny   ip 172.16.0.0 0.15.255.255 any log
 70 deny   ip 104.218.121.0 0.0.0.255 any log
 80 deny   ip 104.218.122.0 0.0.0.255 any log
 90 deny   ip 104.218.123.0 0.0.0.255 any log
 100 deny   ip 162.220.55.0 0.0.0.255 any log
 110 deny   ip 169.197.76.0 0.0.3.255 any log
 120 permit ip any any

 

 

 

 Best regards - Menon.

 

 
Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

ā€Ž01-29-2023 11:53 AM

what device model and what IOS running on this?

What is  Active Device configuration Look like?

I do not see any HSRP config the one posted - am I missing something here?

When you build High Availability - how are you able to connect the standby Router? (or are you doing to Failover for testing ?)

Do you have a high-level network diagram of how your setup looks like?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Menon
Level 1
Level 1
In response to balaji.bandi

ā€Ž01-29-2023 12:46 PM

Hi balaji,

Router is Cisco csr1000v, IOS XE Software, Version 17.03.04a

HSRP won't transfer the configs from active to standby for making both router identical. And o configured the HSRP on the sub interfaces where the traffic in/out - G1 is the ISP interface. Please find the hsrp config of standby.

R2 - standby router

interface GigabitEthernet1
 ip flow monitor 247MONITOR input
 ip flow monitor 247MONITOR output
 ip address 17.25.185.18 255.255.255.252
 ip nbar protocol-discovery
 ip access-group WAN_IN in
 negotiation auto
 ipv6 address 2706:D408:DA1:1::2/64
 ipv6 traffic-filter v6BLOCK-SMTP in
 no mop enabled
 no mop sysid
!         
interface GigabitEthernet2
 ip address 10.5.6.9 255.255.255.0
 standby use-bia
 negotiation auto
 vrrp 92 ip 10.5.6.7
 no mop enabled
 no mop sysid
!         
interface GigabitEthernet3
 no ip address
 standby use-bia scope interface
 negotiation auto
 no mop enabled
 no mop sysid
!         
interface GigabitEthernet3.95
 encapsulation dot1Q 95
 ip address 10.0.0.2 255.255.255.248
!         
interface GigabitEthernet3.122
 encapsulation dot1Q 122
 ip address 14.28.122.2 255.255.255.0
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby version 2
 standby 1 ipv6 2301:FAA6:BD0::1/64
 standby 1 priority 20
 standby 1 preempt
 standby 122 ip 14.28.122.3
 standby 122 timers msec 250 msec 750
 standby 122 priority 15
 standby 122 preempt
 ipv6 address 2301:FAA6:BD0::9/64
 arp timeout 60
!         
interface GigabitEthernet3.123
 encapsulation dot1Q 123
 ip address 14.28.123.2 255.255.255.0
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby 123 ip 14.28.123.3
 standby 123 timers msec 250 msec 750
 standby 123 priority 15
 standby 123 preempt
!         
interface GigabitEthernet3.169
 encapsulation dot1Q 169
 ip address 69.17.76.2 255.255.252.0
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby 169 ip 69.17.76.3
 standby 169 timers msec 250 msec 750
 standby 169 priority 15
 standby 169 preempt
!                
interface GigabitEthernet3.300
 description newscope23.148.1.0
 encapsulation dot1Q 300
 ip flow monitor 247MONITOR output
 ip address 25.158.1.2 255.255.255.0
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby 55 ip 25.158.1.3
 standby 55 timers msec 250 msec 750
 standby 55 priority 15
 standby 55 preempt
 arp timeout 60
!         
interface GigabitEthernet3.504
 encapsulation dot1Q 504
 ip address 14.218.121.2 255.255.255.0
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby 100 ip 14.218.121.3
 standby 100 timers msec 250 msec 750
 standby 100 priority 15
 standby 100 preempt
!         
interface GigabitEthernet3.520
 description Remote Access
 encapsulation dot1Q 520
 ip address 73.205.187.98 255.255.255.224
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby 250 ip 73.205.187.99
 standby 250 timers msec 250 msec 750
 standby 250 priority 15
 standby 250 preempt
!         
interface GigabitEthernet3.521
 encapsulation dot1Q 521
 ip address 62.220.55.2 255.255.255.0
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby version 2
 standby 1 ipv6 2620:FFA6:300::1/64
 standby 1 priority 20
 standby 1 preempt
 standby 251 ip 62.220.55.3
 standby 251 timers msec 250 msec 750
 standby 251 priority 15
 standby 251 preempt
 ipv6 address 2620:FFA6:300::9/64
 arp timeout 60
!
R1 - active router

interface GigabitEthernet1
 ip flow monitor 247MONITOR input
 ip flow monitor 247MONITOR output
 ip address 17.25.184.86 255.255.255.252
 ip nbar protocol-discovery
 ip access-group WAN_IN in
 negotiation auto
 ipv6 address 2706:D408:DA1:1::2/126
 ipv6 traffic-filter v6BLOCK-SMTP in
 no mop enabled
 no mop sysid
!         
interface GigabitEthernet2
 ip address 10.5.6.8 255.255.255.0
 standby use-bia
 negotiation auto
 vrrp 92 ip 10.5.6.7
 vrrp 92 priority 150
 no mop enabled
 no mop sysid
!         
interface GigabitEthernet3
 no ip address
 standby use-bia scope interface
 negotiation auto
 no mop enabled
 no mop sysid
!         
interface GigabitEthernet3.95
 encapsulation dot1Q 95
 ip address 10.0.0.1 255.255.255.248
!         
interface GigabitEthernet3.122
 description Remote Access
 encapsulation dot1Q 122
 ip address 14.28.122.2 255.255.255.0
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby version 2
 standby 1 ipv6 2301:FAA6:BD0::1/64
 standby 1 priority 200
 standby 1 preempt
 standby 122 ip 14.28.122.3
 standby 122 timers msec 250 msec 750
 standby 122 priority 150
 standby 122 preempt
 ipv6 address 2301:FAA6:BD0::8/64
 arp timeout 60
!         
interface GigabitEthernet3.123
 description Remote Access
 encapsulation dot1Q 123
 ip address 14.28.123.1 255.255.255.0
 standby use-bia scope interface
 standby 123 ip 14.28.123.3
 standby 123 timers msec 250 msec 750
 standby 123 priority 150
 standby 123 preempt
!         
interface GigabitEthernet3.169
 description Remote Access
 encapsulation dot1Q 169
 ip address 69.17.76.1 255.255.252.0
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby 169 ip 69.17.76.3
 standby 169 timers msec 250 msec 750
 standby 169 priority 150
 standby 169 preempt
!                 
interface GigabitEthernet3.300
 description newscope23.148.1.0
 encapsulation dot1Q 300
 ip flow monitor 247MONITOR output
 ip address 25.158.1.1 255.255.255.0
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby 55 ip 25.158.1.3
 standby 55 timers msec 250 msec 750
 standby 55 priority 150
 standby 55 preempt
 arp timeout 60
!         
interface GigabitEthernet3.504
 description Remote Access
 encapsulation dot1Q 504
 ip address 14.218.121.2 255.255.255.0
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby 100 ip 14.218.121.3
 standby 100 timers msec 250 msec 750
 standby 100 priority 150
 standby 100 preempt
!         
interface GigabitEthernet3.520
 description Remote Access
 encapsulation dot1Q 520
 ip address 73.205.187.97 255.255.255.224
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby 250 ip 73.205.187.99
 standby 250 timers msec 250 msec 750
 standby 250 priority 150
 standby 250 preempt
!         
interface GigabitEthernet3.521
 description Remote Access
 encapsulation dot1Q 521
 ip address 62.220.55.1 255.255.255.0
 ip access-group BLOCK-SMTP in
 standby use-bia scope interface
 standby version 2
 standby 1 ipv6 2620:FFA6:300::1/64
 standby 1 priority 200
 standby 1 preempt
 standby 251 ip 62.220.55.3
 standby 251 timers msec 250 msec 750
 standby 251 priority 150
 standby 251 preempt
 ipv6 address 2620:FFA6:300::9/64
 arp timeout 60
!

My goal is to access the Internal resources in subnet 10.5.6.0/24 while using standby router VPN. Not sure ACL or something else is blocking or not! please find the acl and static routing below, for advertising the subnet am using BGP.

!         
ip tftp source-interface GigabitEthernet3.521
ip route 0.0.0.0 0.0.0.0 10.5.6.3 250
ip route 10.2.6.0 255.255.255.0 10.5.6.10
ip route 10.3.6.0 255.255.255.0 10.5.6.10
ip route 10.4.6.0 255.255.255.0 10.5.6.10
ip route 10.6.6.0 255.255.255.0 10.5.6.10
ip route 10.7.6.0 255.255.255.0 10.5.6.10
ip route 10.8.6.0 255.255.255.0 10.5.6.10
ip route 172.16.2.0 255.255.255.0 172.16.5.10
ip route 172.16.3.0 255.255.255.0 172.16.5.10
ip route 172.16.4.0 255.255.255.0 172.16.5.10
!         
ip access-list standard SPLIT
 10 permit 10.3.0.0 0.0.255.255
 20 permit 10.4.0.0 0.0.255.255
 30 permit 10.5.0.0 0.0.255.255
 40 permit 10.6.0.0 0.0.255.255
 50 permit 10.7.0.0 0.0.255.255
!         
ip access-list extended BLOCK-SMTP
 10 deny   ip any 10.0.0.0 0.255.255.255
 20 deny   ip any 172.16.0.0 0.15.255.255
 30 deny   ip any 192.168.0.0 0.0.255.255
 40 permit ip host 162.220.55.203 any
 50 permit ip host 162.220.55.120 any
 60 permit ip host 162.220.55.181 any
 70 permit ip host 162.220.55.202 any
 80 permit ip host 162.220.55.245 any
 90 permit ip host 162.220.55.223 any
 100 deny   tcp any any eq smtp
 110 deny   tcp any any eq 139
 120 deny   tcp any any eq 445
 130 permit ip any any
ip access-list extended WAN_IN
 10 permit ip object-group MGMT_IPS object-group NATIVE_IPS
 20 deny   tcp any object-group NATIVE_IPS eq www log
 30 deny   tcp any object-group NATIVE_IPS eq 443 log
 40 deny   ip 192.168.0.0 0.0.255.255 any log
 50 deny   ip 10.0.0.0 0.255.255.255 any log
 60 deny   ip 172.16.0.0 0.15.255.255 any log
 70 deny   ip 104.218.121.0 0.0.0.255 any log
 80 deny   ip 104.218.122.0 0.0.0.255 any log
 90 deny   ip 104.218.123.0 0.0.0.255 any log
 100 deny   ip 162.220.55.0 0.0.0.255 any log
 110 deny   ip 169.197.76.0 0.0.3.255 any log
 120 permit ip any any
ip access-list extended mgmt_access
 10 permit ip 162.220.52.0 0.0.3.255 any
 20 permit ip host 217.122.155.149 any
 30 permit ip 69.28.248.0 0.0.0.255 any
 40 permit ip 104.218.120.0 0.0.0.255 any
 50 permit ip 23.148.0.0 0.0.0.255 any
 60 permit ip host 68.161.210.205 any
 70 permit ip 10.0.0.0 0.255.255.255 any
 80 permit ip host 103.72.179.19 any
 90 permit ip host 217.122.220.242 any
 100 permit ip host 103.99.207.182 any
!         
!

Thanks.

 

0 Helpful
Customers Also Viewed These Support Documents