Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
386
Views
0
Helpful
3
Replies

VPN failover not working properly

Brandon Fogliano
Level 1
Level 1

‎10-27-2014 07:16 AM - edited ‎03-05-2019 12:02 AM

I have this network mocked up in GNS3 before I take it live and I know GNS3 can be buggy so I just want to get an opinion.  As I described in my first post everything fails over from one static route to another and everything is working great now, thanks to your help, except the VPN failover.  The VPN works perfect establishing from the main site to the branch on the primary, both sites can communicate via the VPN, if I run a show crypto isakmp sa I see the correct source and destination points for the tunnel.  But if I clear that association and shut down the Primary port at the main site, I can only establish the tunnel if I try to connect from the main site to the branch, if I try to establish the tunnel from the branch to the main site through the secondary connection pings timeout and running the same show commands shows that addresses backwards ie. the source address is the destination and the destination address is the source.  Is this a bug in GNS3 or do I have an error in my configs.  I have attached both configs if anyone would like to comment.  I appreciate the help.

 

Thanks for everybody's help,

 

Brandon

Labels:
Preview file
3 KB
Preview file
4 KB
0 Helpful
3 Replies 3

LJ Gabrillo
Level 5
Level 5

‎10-28-2014 08:07 PM

I highly recommend using a tunnel topology (EX: GRE Tunnel) with it you can simplify your configuration and simply use dynamic routing (EIGRP) to do the routing for your, failover is also done by the routing protocol.

Your setup uses IPSec VPN, w/c can become tricky considering you need to add IP-SLA and tracking in order for the route to shutdown

Also, IP-SLA and tracking must be done on both routers, not only one

0 Helpful

Brandon Fogliano
Level 1
Level 1
In response to LJ Gabrillo

‎10-29-2014 09:26 AM

Thank you for the response Isgabrillo, right now I do have IP SLA tracking on the central sites static routes, but for the branch sites that only have one ISP, what would I set the tracking to track at the branch there is only one route out of the network?  As far as using the GRE tunnels, doesn't the whole network have to be running routing protocols?

0 Helpful

LJ Gabrillo
Level 5
Level 5
In response to Brandon Fogliano

‎10-29-2014 05:33 PM

Well, Yes and No
Yes - for your site routers only
No   - For your other L3 devices, you can simply use "redistribute static subnets" and it will distribute your, well, static routes

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card