cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
971
Views
0
Helpful
2
Replies

IPSec error

pure.tech
Level 1
Level 1

Hi all,

We've encountered an error with an IPSec tunnel between a Cisco 1811 and a pair of Draytek 3300's in High Availability mode. The connection was up and stable and the two Draytek units were online and in sync, the master then went offline failing over the connection to the master, at this point the IPSec tunnel went down.


I’ve spoken to Draytek about the issue as it looked to be an issue with their HA setup but they’ve asked me to check if the Cisco supports IPSec DPD – I’ve looked and looked and cannot find the answer hence the post.

If anyone can let me know if this is supported on the 1811 I would be grateful, even better if you can suggest a problem with our scenario?


Regards,

Graham.

1 Accepted Solution

Accepted Solutions

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Graham,

DPD means Dead Peer detection

see

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Dir_Encap.html#wp84861

for enabling DPD all times you need the periodic option

compare your configuration with the example in the link above or post your configuration here after having changed public ip addresses and removed usernames and passwords

To be honest, I think their HA IPSec configuration was not perfect as the objective of an HA IPSec is that of providing a seamless move to new peer

For achieving this the two devices need to share the IPSec connection table including current IPSec and ISAKMP Security Associations.

DPD could help in case new IPSec peer presents itself with a different SA proposal confusing the other device.

Edit:

DPD can help in case of stateless HA IPsec by allowing to declare down the previous sets of SAs and allowing Cisco device to negotiate SAs with the new active IPSec peer instead of rejecting them.

post show ver | inc image

in order to check if IPSEC DPD is supported on your C1811 you can use feature navigator

http://www.cisco.com/go/fn

search by feature IPSec DPD

example :

12.4(22)T3ADVANCED ENTERPRISE SERVICESc181x-adventerprisek9-mz.124-22.T3.bin256 MB of RAM, 64 MB flash

this supports periodic DPD on C1811

the exact name of the feature is :

IPSec Dead Peer Detection (DPD) Periodic Message Option

Hope to help

Giuseppe

View solution in original post

2 Replies 2

Giuseppe Larosa
Hall of Fame
Hall of Fame

Hello Graham,

DPD means Dead Peer detection

see

http://www.cisco.com/en/US/docs/solutions/Enterprise/WAN_and_MAN/Dir_Encap.html#wp84861

for enabling DPD all times you need the periodic option

compare your configuration with the example in the link above or post your configuration here after having changed public ip addresses and removed usernames and passwords

To be honest, I think their HA IPSec configuration was not perfect as the objective of an HA IPSec is that of providing a seamless move to new peer

For achieving this the two devices need to share the IPSec connection table including current IPSec and ISAKMP Security Associations.

DPD could help in case new IPSec peer presents itself with a different SA proposal confusing the other device.

Edit:

DPD can help in case of stateless HA IPsec by allowing to declare down the previous sets of SAs and allowing Cisco device to negotiate SAs with the new active IPSec peer instead of rejecting them.

post show ver | inc image

in order to check if IPSEC DPD is supported on your C1811 you can use feature navigator

http://www.cisco.com/go/fn

search by feature IPSec DPD

example :

12.4(22)T3ADVANCED ENTERPRISE SERVICESc181x-adventerprisek9-mz.124-22.T3.bin256 MB of RAM, 64 MB flash

this supports periodic DPD on C1811

the exact name of the feature is :

IPSec Dead Peer Detection (DPD) Periodic Message Option

Hope to help

Giuseppe

Thanks Giuseppe our connection is now back up.


Thanks for you help.

Pure.

Review Cisco Networking for a $25 gift card