05-11-2022 08:30 AM - edited 05-12-2022 06:07 AM
Hi everyone,
I'm having a problem with my VPN Setup and the Routing.
I have Site A which consists of two Redundant Cisco ISR 4300 (v 17.03.05) Routers in Active / Standby Mode and i have Site B which consists of a Cisco ISR 1100 (v 16.12.04).
About the setup:
Site A:
The Cisco ISRs have two Interfaces with a Public Subnet. GigabitEthernet0/0/0.900 is the "outside" Subnet which is the transit Subnet to communicate with the Datacenter ISP for advertising our own Public Subnet via BGP which is on GigabitEthernet0/0/1 ("inside")
Active ISR 4300:
Interface GigabitEthernet0/0/0.900 description ISP BGP encapsulation dot1Q 900 ip address 7.7.7.2 255.255.255.254 crypto map IKEv2 ! interface GigabitEthernet0/0/1 description TEST-FW1 ip address 3.3.3.4 255.255.255.0 standby version 2 standby 1 ip 3.3.3.3 standby 1 priority 110 standby 1 preempt delay minimum 60 standby 1 name HA-WAN negotiation auto
Standby ISR 4300:
Interface GigabitEthernet0/0/0.900 description ISP BGP encapsulation dot1Q 900 ip address 6.6.6.2 255.255.255.254 crypto map IKEv2 ! interface GigabitEthernet0/0/1 description TEST-FW2 ip address 3.3.3.5 255.255.255.0 standby version 2 standby 1 ip 3.3.3.3 standby 1 name HA-WAN negotiation auto
The IPSEC Profile and config for Site A looks identical on both:
crypto ikev2 proposal IKEv2 encryption aes-cbc-256 prf sha256 sha512 integrity sha256 group 14 ! crypto ikev2 policy 20 proposal IKEv2 crypto ikev2 profile US1 description US1 ISR VPN match identity remote any authentication remote pre-share key XXXXXXXXXXXXXXXXXXXXXXX authentication local pre-share key XXXXXXXXXXXXXXXXXXXXXX crypto ipsec transform-set IKEv2 esp-aes 256 esp-sha256-hmac mode tunnel crypto dynamic-map ISR-Dynamic 10 set security-association lifetime seconds 86400 set security-association replay window-size 128 set transform-set IKEv2 set ikev2-profile US1 match address 105 reverse-route ! crypto map IKEv2 10 ipsec-isakmp dynamic ISR-Dynamic
The B-Side consists of one Cisco ISR 1100 which has a dynamic Public IP, it runs on either DSL or Cellular:
VPN Config:
crypto ikev2 proposal IKEv2_DH14 encryption aes-cbc-256 prf sha256 sha512 integrity sha256 group 14 ! crypto ikev2 policy 2 proposal IKEv2_DH14 ! crypto ikev2 keyring US1-Key peer TEST-ISR1 address 7.7.7.2 pre-shared-key local XXXXXXXXXXXXXXXXXXX pre-shared-key remote XXXXXXXXXXXXXXXX ! peer TEST-ISR2 address 6.6.6.2 pre-shared-key local XXXXXXXXXXXXXXXXXXXXXXXXXX pre-shared-key remote XXXXXXXXXXXXXXXXXXXXXXXXXXXXX ! crypto ikev2 profile US1 description US1 match identity remote address 7.7.7.2 255.255.255.255 match identity remote address 6.6.6.2 255.255.255.255 identity local key-id XXXXXXXXXXXXXXXXX authentication remote pre-share authentication local pre-share keyring local US1-Key ! crypto ipsec transform-set IKEv2 esp-aes 256 esp-sha256-hmac mode tunnel ! crypto map outside_map 10 ipsec-isakmp set peer 7.7.7.2 default set peer 6.6.6.2 set security-association lifetime seconds 86400 set security-association replay window-size 128 set transform-set IKEv2 set ikev2-profile US1 match address 101
This the setup how we got it working. It looks like this:
So the VPN Tunnel on Site A terminates on the "outside" Transit Subnet to the ISP. But its performing really bad.
The B-Side is on private DSL Lines or cellular, so it drops from time to time, so its just a network dropout. What happens quite often is that the B-Side builds a tunnel to the default and the secondary peer when such an event happens.
And it stays connected to both Tunnels, this causes the traffic flow to stop.
I tried to create an EEM-Script for this which Tracks Internal Traffic (Ping)
event manager applet RESET-VPN-US1_Track60 event syslog pattern "%TRACK-6-STATE: 60 list boolean or Up -> Down" action 001 cli command "enable" action 002 cli command "clear crypto session remote 7.7.7.2" action 003 cli command "clear crypto session remote 6.6.6.2" action 099 syslog msg "US1 VPN tunnel cleared due to Track60 Recovery"
But still to many sites get stuck with two Tunnels and no traffic flow.
The optimal solution would be really easy: Attaching the cryptomap to the interface GigabitEthernet0/0/1 interface on the HSRP IP. That way we would not have to add two IPs in the cryptomap and could just connect to 3.3.3.3
So:
interface GigabitEthernet0/0/1 description TEST-FW1 ip address 3.3.3.4 255.255.255.0 standby version 2 standby 1 ip 3.3.3.3 standby 1 priority 110 standby 1 preempt delay minimum 60 standby 1 name HA-WAN negotiation auto crypto-map redundancy HA-WAN
Then it would look like this:
But this does not work. The Tunnel is established successfully and the B-Site has the route to the A-Side. But the A-Side can not return traffic as it will answer through the Interface GigabitEthernet0/0/0.900. Even though RRI is turned on.
We tried to solve this problem with Cisco TAC but they couldn't solve it and said its not supported. Unfortunately they could not provide a Solution.
What we have also tried as a workaround:
Added the "set security-association idletime 60" command. So after 60 seconds it will try to connect to the default peer. It works, after roughly 60-90 seconds its connected to the default peer, but it is still connected to the Standby-Peer and will stay there for multiple hours until the SA expires or another ISP drops kicks it. So again no traffic flow.
We have thought about using a FQDN for the both routers and then putting a Route53 HealthCheck to failover between them, but as the AWS healthcheckers can only check for TCP and change their public IP, we don't want to expose a responding Port to the Internet or constantly maintain ACLs.
OSPF or other routing protocols is not an option right now, we would have to add Interfaces for each Tunnel. We are talking 50+ devices so maintenance would be ugly even though we have Prime.
Could someone help me? I can't be the only one running such a setup, i can't believe there is no working setup for this.
Thank you very much
05-11-2022 08:57 AM
I know this for IKEv1 but still same can use for IKEv2
check this solution do change if not work share the last config here.
05-11-2022 09:36 AM
Hello,
--> The Cisco ISRs have two Interfaces with a Public Subnet. GigabitEthernet0/0/0.900 is the "outside" Subnet which is the transit Subnet to communicate with the Datacenter ISP for advertising our own Public Subnet via BGP which is on GigabitEthernet0/0/1 ("inside")
Post a diagram of your topology, as well as the full running configurations of all routers involved. If TAC cannot solve it, we probably have to lab this up.
05-12-2022 05:28 AM
Hi Georg,
Please find attached the Diagram. I will upload the configs in a moment.
05-12-2022 05:34 AM
And this is how i would like to have the setup:
05-12-2022 06:00 AM - edited 05-12-2022 06:02 AM
Hi @Georg Pauwen
Unfortunately i can't post the running config, it has to much sensitive information, i have to cut out 80% of the config. I still think that my first post has all the relevant Config Lines listed.
The Question is, how can i get the VPN connection to GIG0/0/1 with correct traffic routing.
Establishing the VPN to the HSRP IP on GIG0/0/1 is not a problem, the Router just doesnt know how to answer / will try to answer through GIG0/0/0.900
Thanks
Pascal
05-11-2022 11:01 AM
Hi, friend
I think about your issue,
in Site-B you will point to Site-A HSRP VIP this give you one IP "no default anymore"
Site-A you will config two HSRP
one face the OUT toward Site-B
other face the IN toward Site-A LAN
you must config and sure that the two HSRP elect same active to make return traffic always go through one router in Site-A.
Don't worry this topology for my notes if there is any modify I pleasure to know it.
05-12-2022 05:37 AM
Thanks for your reply, but i can not configure your proposed Solution.
Your suggestion is a HSRP IP on the outside interface towards Site B = Interface GigabitEthernet0/0/0.900
Both are different Transit Subnets provided by the Datacenter. They can not be in the same Subnet. So i can't put a HSRP on this.
05-12-2022 11:04 AM - edited 05-12-2022 12:38 PM
Do you see topology there is Router in front of both HSRP peer.
other Solution is
statefull IPSec, this make both HSRP exchange IPSec tunnel info. and hence the Site-B connect to HSRP 1 or HSRP 2 no matter.
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html
05-13-2022 05:26 AM
I have checked the Document. Right now, we can't run Active / Active as its not allowed from the Contract, that could be changed.
The Problem with this topology is that the outside HSRP IPs of both Routers are in the same Network. This does not work as it would Destroy the redundancy as the Active and Standby Router would have to through the same Hop at the Datacenter. With the different Subnets and Hops, they use a different and separated Line in the DC.
05-12-2022 02:41 PM
Hello,
sorry for my late reply. First of all, crypto maps are very much legacy. Can't you use VTIs, which would make routing (redundancy) a whole lot easier ?
05-12-2022 11:27 PM
Hello,
--> The B-Side consists of one Cisco ISR 1100 which has a dynamic Public IP, it runs on either DSL or Cellular:
Do you have the B side config as well (as much as you can post) ? Is this is failover config (DSL primary/cell backup) ?
05-13-2022 12:14 AM
Hi @Georg Pauwen
I have sanitized the whole config. Please find it in the attachment. It is a Failover config GIG0/0/0 is primary and Cell 0/2/0 is failover.
But the failover is not source of the problem, as it will only trigger after a certain amount of seconds. When we have a short ISP drop of 5 seconds, the failover won't trigger but still give us the current issue.
For your other comment:
I do not see VTI as option yet. The Problem is that we have 50+ Devices on the "B-Side". Connect to two Locations, with the redundant ISR Pair. So we are talking 200+ VTI Tunnels / Networks. That will be ugly to manage and maintain.
05-13-2022 12:55 AM
Hello,
can you post a similar sanitized config for both Site A routers as well ? I am trying to lab this up, it will take a few hours as it is, a somewhat comprehensive text file would speed things up.
05-13-2022 05:19 AM
Hi @Georg Pauwen
I have prepared the sanitized config, I had to cut out some stuff as we have a lot of VTI Tunnels, I removed the unnecessary.
Thanks a lot
Pascal
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide