Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1340
Views
15
Helpful
6
Replies

ISR 4K redundancy

Go to solution
Skevich17
Level 1
Level 1

‎11-24-2020 12:52 PM

Hello! 

I have 2 ISR 4K routers and i want to put it on the edge of the network, facing ISP. It will maintain dynamic nat for users, connecting to internet, and also ikev2 site to site ipsec vpn. I configured stateful redundancy for nat, so when one router fails, the other continues to forward traffic and all nat sessions are synchronized.

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ipaddr_nat/configuration/xe-3s/nat-xe-3s-book/iadnat-stateful-int-chass.html

I also want to configure redundancy for VPN, but in this doc it is said, that i can only configure it with hsrp

https://www.cisco.com/c/en/us/td/docs/routers/access/4400/software/configuration/xe-16-7/isr4400swcfg-xe-16-7-book/configuring_high_availability.pdf

When i try to configure hsrp and stateful redundancy at the same time, it shows error, when im trying to put standby ip on interface:

% address cannot equal interface IP address

Is there any way to achieve stateful box-to-box nat redundancy and IPSEC redundancy at the same time? And if there is, how can i do it?

Thanks in advance!

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Skevich17

‎11-26-2020 12:26 AM

Hello @Skevich17 ,

you are right you have something different a redundancy group.

if you have a free IP address on the WAN side you can add an HSRP group using as VIP that free IP address and that will be the IPSec endpoint .

If the router does not accept the configuration means the two features HSRP and redudancy group are not compatible on the same interface.

 

Hope to help

Giuseppe

 

View solution in original post

6 Replies 6

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎11-25-2020 02:21 AM

Hello @Skevich17 ,

>> % address cannot equal interface IP address

 

HSRP requires the use of a dedicated IP address for the VIP address it cannot be equal to the interface IP address. This is the meaning of the error you have seen,

so on the WAN side yo would need an additional IP address to be used as VIP you may need to change the current interface IP address on the WAN side to be able to re-use current IP as HSRP VIP.

The same logic has to be applied on the LAN internal side.

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Skevich17
Level 1
Level 1
In response to Giuseppe Larosa

‎11-25-2020 05:34 AM

I know that, but my interface uses different ip address. This hsrp vip is the same as i use for redundancy group vip for stateful Nat.

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Skevich17

‎11-25-2020 06:08 AM

Hello @Skevich17 ,

ok I see your point

if you have already an HSRP group and HSRP VIP in place you can try to use it also as endpoint for IPSec VPN LAN to LAN there is no need to add a new HSRP group.

If you need a new HSRP group it will need a different HSRP VIP address and if you have an address avaiable on the WAN public side this is also a way to configure it.

 

Hope to help

Giuseppe

 

0 Helpful

Go to solution
Skevich17
Level 1
Level 1
In response to Giuseppe Larosa

‎11-25-2020 10:40 AM

"if you have already an HSRP group and HSRP VIP in place you can try to use it also as endpoint for IPSec VPN LAN to LAN there is no need to add a new HSRP group."

It's not a hsrp group, it's application redundancy group for statefull Nat redundancy.

 

interface GigabitEthernet2
description LinkISP
ip address 10.0.81.243 255.255.255.248
ip nat outside
negotiation auto
no mop enabled
no mop sysid
redundancy rii 200
redundancy group 1 ip 10.0.81.242 exclusive decrement 100
ip virtual-reassembly

 

To add crypto map to this interface to work on VIP i need to add command:

crypto map <name> redundancy <name>

But it says i dont have redundancy configured on this interface.

If i try to configure HSRP, it says:

% address cannot equal interface IP address

 

Maybe I'm understanding something wrong.. I need 2 routers to have box-to-box redundancy for users traffic, destined to internet and also for site to site vpns. Maybe there is different solution to achieve what i want?

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to Skevich17

‎11-26-2020 12:26 AM

Hello @Skevich17 ,

you are right you have something different a redundancy group.

if you have a free IP address on the WAN side you can add an HSRP group using as VIP that free IP address and that will be the IPSec endpoint .

If the router does not accept the configuration means the two features HSRP and redudancy group are not compatible on the same interface.

 

Hope to help

Giuseppe

 

Go to solution
Skevich17
Level 1
Level 1
In response to Giuseppe Larosa

‎12-13-2020 11:39 PM

Sorry for a long response. I was able to test it just now, and it works! Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card