cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1492
Views
5
Helpful
19
Replies

Problem with redundant IPSEC VPN Setup ISR1100 to ISR4300

Pascal85045
Level 1
Level 1

Hi everyone, 

I'm having a problem with my VPN Setup and the Routing. 

I have Site A which consists of two Redundant Cisco ISR 4300 (v 17.03.05) Routers in Active / Standby Mode and i have Site B which consists of a Cisco ISR 1100 (v 16.12.04). 

About the setup: 
Site A: 
The Cisco ISRs have two Interfaces with a Public Subnet. GigabitEthernet0/0/0.900 is the "outside" Subnet which is the transit Subnet to communicate with the Datacenter ISP for advertising our own Public Subnet via BGP which is on GigabitEthernet0/0/1 ("inside")

Active ISR 4300:

Interface GigabitEthernet0/0/0.900
description ISP BGP
encapsulation dot1Q 900
ip address 7.7.7.2 255.255.255.254
crypto map IKEv2
!
interface GigabitEthernet0/0/1
description TEST-FW1
ip address 3.3.3.4 255.255.255.0
standby version 2
standby 1 ip 3.3.3.3
standby 1 priority 110
standby 1 preempt delay minimum 60
standby 1 name HA-WAN
negotiation auto

 

Standby ISR 4300:

Interface GigabitEthernet0/0/0.900
description ISP BGP
encapsulation dot1Q 900
ip address 6.6.6.2 255.255.255.254
crypto map IKEv2
!
interface GigabitEthernet0/0/1
description TEST-FW2
ip address 3.3.3.5 255.255.255.0
standby version 2
standby 1 ip 3.3.3.3
standby 1 name HA-WAN
negotiation auto

The IPSEC Profile and config for Site A looks identical on both:

crypto ikev2 proposal IKEv2 
 encryption aes-cbc-256
 prf sha256 sha512
 integrity sha256
 group 14
!
crypto ikev2 policy 20 
 proposal IKEv2
crypto ikev2 profile US1
 description US1 ISR VPN
 match identity remote any
 authentication remote pre-share key XXXXXXXXXXXXXXXXXXXXXXX
 authentication local pre-share key XXXXXXXXXXXXXXXXXXXXXX

crypto ipsec transform-set IKEv2 esp-aes 256 esp-sha256-hmac 
 mode tunnel

crypto dynamic-map ISR-Dynamic 10
 set security-association lifetime seconds 86400
 set security-association replay window-size 128 
 set transform-set IKEv2 
 set ikev2-profile US1
 match address 105
 reverse-route
!
crypto map IKEv2 10 ipsec-isakmp dynamic ISR-Dynamic 

The B-Side consists of one Cisco ISR 1100 which has a dynamic Public IP, it runs on either DSL or Cellular:

VPN Config:

crypto ikev2 proposal IKEv2_DH14 
 encryption aes-cbc-256
 prf sha256 sha512
 integrity sha256
 group 14
!
crypto ikev2 policy 2 
 proposal IKEv2_DH14
!
crypto ikev2 keyring US1-Key
 peer TEST-ISR1
  address 7.7.7.2
  pre-shared-key local XXXXXXXXXXXXXXXXXXX
  pre-shared-key remote XXXXXXXXXXXXXXXX
 !
 peer TEST-ISR2
  address 6.6.6.2
  pre-shared-key local XXXXXXXXXXXXXXXXXXXXXXXXXX
  pre-shared-key remote XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
 !
crypto ikev2 profile US1
 description US1
 match identity remote address 7.7.7.2 255.255.255.255 
 match identity remote address 6.6.6.2 255.255.255.255 
 identity local key-id XXXXXXXXXXXXXXXXX
 authentication remote pre-share
 authentication local pre-share
 keyring local US1-Key
!
crypto ipsec transform-set IKEv2 esp-aes 256 esp-sha256-hmac 
 mode tunnel
!
crypto map outside_map 10 ipsec-isakmp 
 set peer 7.7.7.2 default
 set peer 6.6.6.2
 set security-association lifetime seconds 86400
 set security-association replay window-size 128 
 set transform-set IKEv2 
 set ikev2-profile US1
 match address 101



This the setup how we got it working. It looks like this:
Cisco ISR (1).jpg

So the VPN Tunnel on Site A terminates on the "outside" Transit Subnet to the ISP. But its performing really bad. 
The B-Side is on private DSL Lines or cellular, so it drops from time to time, so its just a network dropout. What happens quite often is that the B-Side builds a tunnel to the default and the secondary peer when such an event happens.

And it stays connected to both Tunnels, this causes the traffic flow to stop. 

I tried to create an EEM-Script for this which Tracks Internal Traffic (Ping)

 event manager applet RESET-VPN-US1_Track60
 event syslog pattern "%TRACK-6-STATE: 60 list boolean or Up -> Down"
 action 001 cli command "enable"
 action 002 cli command "clear crypto session remote 7.7.7.2"
 action 003 cli command "clear crypto session remote 6.6.6.2"
 action 099 syslog msg "US1 VPN tunnel cleared due to Track60 Recovery"


But still to many sites get stuck with two Tunnels and no traffic flow. 


The optimal solution would be really easy: Attaching the cryptomap to the interface GigabitEthernet0/0/1 interface on the HSRP IP. That way we would not have to add two IPs in the cryptomap and could just connect to 3.3.3.3
So:

interface GigabitEthernet0/0/1
description TEST-FW1
ip address 3.3.3.4 255.255.255.0
standby version 2
standby 1 ip 3.3.3.3
standby 1 priority 110
standby 1 preempt delay minimum 60
standby 1 name HA-WAN
negotiation auto
crypto-map redundancy HA-WAN

Then it would look like this:
Cisco ISR (2).jpg

But this does not work. The Tunnel is established successfully and the B-Site has the route to the A-Side. But the A-Side can not return traffic as it will answer through the Interface GigabitEthernet0/0/0.900. Even though RRI is turned on.

We tried to solve this problem with Cisco TAC but they couldn't solve it and said its not supported. Unfortunately they could not provide a Solution. 


What we have also tried as a workaround:
Added the "set security-association idletime 60" command. So after 60 seconds it will try to connect to the default peer. It works, after roughly 60-90 seconds its connected to the default peer, but it is still connected to the Standby-Peer and will stay there for multiple hours until the SA expires or another ISP drops kicks it. So again no traffic flow. 

We have thought about using a FQDN for the both routers and then putting a Route53 HealthCheck to failover between them, but as the AWS healthcheckers can only check for TCP and change their public IP, we don't want to expose a responding Port to the Internet or constantly maintain ACLs.

OSPF or other routing protocols is not an option right now, we would have to add Interfaces for each Tunnel. We are talking 50+ devices so maintenance would be ugly even though we have Prime.

Could someone help me? I can't be the only one running such a setup, i can't believe there is no working setup for this.

Thank you very much








19 Replies 19

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/17826-ipsec-feat.html

I know this for IKEv1 but still same can use for IKEv2
check this solution do change if not work share the last config here.

Hello,

 

--> The Cisco ISRs have two Interfaces with a Public Subnet. GigabitEthernet0/0/0.900 is the "outside" Subnet which is the transit Subnet to communicate with the Datacenter ISP for advertising our own Public Subnet via BGP which is on GigabitEthernet0/0/1 ("inside")

 

Post a diagram of your topology, as well as the full running configurations of all routers involved. If TAC cannot solve it, we probably have to lab this up.

Hi Georg, 

Please find attached the Diagram. I will upload the configs in a moment.
Cisco ISR (1).jpg

And this is how i would like to have the setup:
Cisco ISR (2).jpg

Hi @Georg Pauwen 

Unfortunately i can't post the running config, it has to much sensitive information, i have to cut out 80% of the config. I still think that my first post has all the relevant Config Lines listed. 

The Question is, how can i get the VPN connection to GIG0/0/1 with correct traffic routing.

Establishing the VPN to the HSRP IP on GIG0/0/1 is not a problem, the Router just doesnt know how to answer / will try to answer through GIG0/0/0.900



Thanks
Pascal


jkjkjkjkjkjkjk.png

Hi, friend 
I think about your issue, 
in Site-B you will point to Site-A HSRP VIP this give you one IP "no default anymore"
Site-A you will config two HSRP
one face the OUT toward Site-B
other face the IN toward Site-A LAN 

you must config and sure that the two HSRP elect same active to make return traffic always go through one router in Site-A.

Don't worry this topology for my notes if there is any modify I pleasure to know it.

Thanks for your reply, but i can not configure your proposed Solution. 

Your suggestion is a HSRP IP on the outside interface towards Site B = Interface GigabitEthernet0/0/0.900

Both are different Transit Subnets provided by the Datacenter. They can not be in the same Subnet. So i can't put a HSRP on this.

Do you see topology there is Router in front of both HSRP peer.

other Solution is 
statefull IPSec, this make both HSRP exchange IPSec tunnel info. and hence the Site-B connect to HSRP 1 or HSRP 2 no matter.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html

 

I have checked the Document. Right now, we can't run Active / Active as its not allowed from the Contract, that could be changed.

The Problem with this topology is that the outside HSRP IPs of both Routers are in the same Network. This does not work as it would Destroy the redundancy as the Active and Standby Router would have to through the same Hop at the Datacenter. With the different Subnets and Hops, they use a different and separated Line in the DC.

Hello,

 

sorry for my late reply. First of all, crypto maps are very much legacy. Can't you use VTIs, which would make routing (redundancy) a whole lot easier ?

Hello,

 

--> The B-Side consists of one Cisco ISR 1100 which has a dynamic Public IP, it runs on either DSL or Cellular:

 

Do you have the B side config as well (as much as you can post) ? Is this is failover config (DSL primary/cell backup) ?

Hi @Georg Pauwen 

I have sanitized the whole config. Please find it in the attachment. It is a Failover config GIG0/0/0 is primary and Cell 0/2/0 is failover. 

But the failover is not source of the problem, as it will only trigger after a certain amount of seconds. When we have a short ISP drop of 5 seconds, the failover won't trigger but still give us the current issue. 


For your other comment: 
I do not see VTI as option yet. The Problem is that we have 50+ Devices on the "B-Side". Connect to two Locations, with the redundant ISR Pair. So we are talking 200+ VTI Tunnels / Networks. That will be ugly to manage and maintain. 


Hello,

 

can you post a similar sanitized config for both Site A routers as well ? I am trying to lab this up, it will take a few hours as it is, a somewhat comprehensive text file would speed things up.

Hi @Georg Pauwen 

I have prepared the sanitized config, I had to cut out some stuff as we have a lot of VTI Tunnels, I removed the unnecessary. 

Thanks a lot
Pascal

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: