Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1738
Views
0
Helpful
5
Replies

How do I configure IPsec Stateful Failover on an 891?

graham.jones
Level 1
Level 1

‎09-16-2011 03:43 AM - edited ‎02-21-2020 05:35 PM

We have purchased a couple of Cisco 891 routers - both are running IOS 15.0(1) M5 licensed with advanced IP services (default).

The literature for these devices on Cisco's website claims they support IPsec stateful failover on advanced IP services.

Our intention is to configure them with HSRP and IPsec stateful failover to provide a highly-available default gateway and VPN end-point.

I have configured HSRP and that seems to work fine. My problem is that I cannot configure IPsec stateful failover. The documentation that I have found implies that I need to configure inter-device redundancy on a particular HSRP group and use the physical IP addresses on the interfaces within that group to allow stateful failover communication between the routers however the routers do not recognise the 'redundancy' command in config mode...

e.g.

(config)# redundancy inter-device

                 ^

% Invalid input detected at '^' marker.

Am I missing something?

Labels:
0 Helpful
5 Replies 5

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-16-2011 04:35 AM

Graham,

Can you give me the doc you're referring to?

Feature navigator ( http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp )

doesn't mention this feature as supported on 891.

M.

0 Helpful

graham.jones
Level 1
Level 1
In response to Marcin Latosiewicz

‎09-16-2011 04:42 AM

Marcin,

The literature on Cisco's site that I refer to is:

http://www.cisco.com/en/US/prod/collateral/routers/ps380/data_sheet_c78-519930.html

...look under Security features on table 3.

Thanks.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to graham.jones

‎09-16-2011 05:11 AM

Graham,

You are right but something tells me that that doc is wrong.

No device in 8xx series has ever supported stateful failover (mostly due to limited CPU/mem as far as I remember).

The feature navigator is tating it's not supported.

I just filed:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCts71885

to fix the documenttion to include supported platforms from ISR G2 in this section:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-2mt/sec-state-fail-ipsec.html#GUID-12B9F69D-EE16-4CB6-81DD-427E9A2AC014

Would it be possible for you to open a SR for this so we can follow this up with the business unit?

Marcin

0 Helpful

graham.jones
Level 1
Level 1
In response to Marcin Latosiewicz

‎09-16-2011 05:34 AM

Marcin,

What is an SR and how do I go about opening one?

I have tried using Cisco's formal support methods in the past, such as purchasing service packs but I had such difficulty in trying to register them that I gave up and now only use the support community (whenever my books & Google let me down).

Can you advise how much more of the product datasheet is incorrect? i.e, What is an 891 actually capable of?

Thanks.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to graham.jones

‎09-16-2011 05:45 AM

Graham,

I'm not a platform guy, I'm not sure if any of the data is incorrect. The document you mention is/was created and maintained by marketing organization most likely.

I cannot comment on how accurate it is, it was created based on internal spec, which I never saw.

SR = Service Request, "Case with Cisco TAC" ;]

To open one you will need a valid CCO ID AND a serial number of device covered under active contract or warranty.

Service request open tool:

http://tools.cisco.com/ServiceRequestTool/create/launch.do

Marcin

0 Helpful
Customers Also Viewed These Support Documents