cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
386
Views
0
Helpful
3
Replies

VPN failover not working properly

I have this network mocked up in GNS3 before I take it live and I know GNS3 can be buggy so I just want to get an opinion.  As I described in my first post everything fails over from one static route to another and everything is working great now, thanks to your help, except the VPN failover.  The VPN works perfect establishing from the main site to the branch on the primary, both sites can communicate via the VPN, if I run a show crypto isakmp sa I see the correct source and destination points for the tunnel.  But if I clear that association and shut down the Primary port at the main site, I can only establish the tunnel if I try to connect from the main site to the branch, if I try to establish the tunnel from the branch to the main site through the secondary connection pings timeout and running the same show commands shows that addresses backwards ie. the source address is the destination and the destination address is the source.  Is this a bug in GNS3 or do I have an error in my configs.  I have attached both configs if anyone would like to comment.  I appreciate the help.

 

Thanks for everybody's help,

 

Brandon

3 Replies 3

LJ Gabrillo
Level 5
Level 5

I highly recommend using a tunnel topology (EX: GRE Tunnel) with it you can simplify your configuration and simply use dynamic routing (EIGRP) to do the routing for your, failover is also done by the routing protocol.

Your setup uses IPSec VPN, w/c can become tricky considering you need to add IP-SLA and tracking in order for the route to shutdown

Also, IP-SLA and tracking must be done on both routers, not only one

Thank you for the response Isgabrillo, right now I do have IP SLA tracking on the central sites static routes, but for the branch sites that only have one ISP, what would I set the tracking to track at the branch there is only one route out of the network?  As far as using the GRE tunnels, doesn't the whole network have to be running routing protocols?

Well, Yes and No
Yes - for your site routers only
No   - For your other L3 devices, you can simply use "redistribute static subnets" and it will distribute your, well, static routes

Review Cisco Networking for a $25 gift card