Introduction:
This document describes a scenario where user is facing issue involving IPSec SA's and HSRP.
What is HSRP?
HSRP stands for Hot Standby Router Protocol. It is a Cisco proprietary protocol which is used for implementing redundancy. Efficency is nearly 100 percent availability and redundancy of router. So, if the primary router goes down, the backup router will take over the routing functions running in primary router.
If user is not using Cisco devices then there are other industry protocols which are supported by Cisco. Industry standards are mentioned below:
- Virtual Router Redundancy Protocol (VRRP)
- Gateway Load Balancing Protocol (GLBP){Cisco proprietary} an alternative for HSRP
How does HSRP work?
HSRP defines that a routers can be primary or standby when HSRP is configured and running. For eg:
We have 2 routers R1(Primary) and R2(Secondary) If R1 fails to send HELLO packet to R2 for a defined duration of time, R2 will assume that R1 is down and change over takes place. R2 will make use of the virtual IP address and responds to a virtual Ethernet MAC address which is assigned a virtual IP..
R1 & R2 routers keep exchanging HSRP HELLO packets with each other which ensures both router are working and in sync. HELLO packets are multicasted using IP 224.0.0.2 and UDP port 1985. IOS 10.0 supports HSRP, but IOS version 11 and 12 provides the updated release of HSRP.
Note: For implementing router redundancy, user is not limited to only 2 routers. In fact, user can create a group of routers working together and have multiple "standby" routers
Core issue
Crypto maps get disabled when changes are made to the Hot Standby Router Protocol (HSRP) configuration on the router.
Resolution
Try to manually clear the IPSec Security Associations (SAs) on the primary router. If that does not help, remove the crypto maps from the interfaces where HSRP is defined, and re-apply them.
When you change HSRP configuration with crypto maps applied, re-apply the crypto maps after the changes.
For more information, refer to the Configuring HSRP with IPSec section of IPSec VPN High Availability Enhancements.
Problem Type
Connectivity to the device
Troubleshoot software feature
Product Family
Routers
Manifestation
Does not start
Frequency
Continuously
Cisco IOS Software Version
12.3
12.1
12.2
VPN Tunnel End Points
Router
Selected PIX or Router Commands
debug
VPN Protocols
IPSec
VPN Tunnel Initialization
IPSec session is not established