Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2662
Views
0
Helpful
5
Replies

Ipsec VPN Failover issue Cisco 881

sudan_023
Level 1
Level 1

‎08-28-2011 11:56 PM - edited ‎02-21-2020 05:32 PM


Screen shot 2011-08-29 at 12.21.29 PM.png

Guys, i am facing some problem here i have 2 links in my headoffice from same ISP and got a fortigate, 
both Ipsec tunnels are working but problem is with my cisco when 2.2.2.78 is down which is primary the 
tunnel didnt switch automatically to secondary 1.1.1.51 i have 2 routes for 10.10.3.0/24 with different 
distance in fortigate. the actual problem is that when the primary link of HO goes down the branch 
router didnt switch to seconday HO link and the access list keep matching with the primary tunnel. 
If i remove access list from the primary tunnel then it works fine but i need automatic failover. 
Cisco 881 configuration is below, if you need addtional information let me know. Thank you 


!
track 101 ip sla 101 reachability
!
!
crypto isakmp policy 10
 encr 3des
 authentication pre-share
 group 2
 lifetime 28800
crypto isakmp key test123 address 1.1.1.51
crypto isakmp key test456 address 2.2.2.78
crypto isakmp keepalive 10 periodic
!
!
crypto ipsec transform-set my-set esp-3des esp-sha-hmac
!
crypto map mymap 11 ipsec-isakmp
 match address 102
 set peer 2.2.2.78
 set security-association lifetime seconds 86400
 set transform-set my-set
crypto map mymap 12 ipsec-isakmp
 set peer 1.1.1.51
 set security-association lifetime seconds 86400
 set transform-set my-set
 match address 101
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
 ip address 1.1.1.52 255.255.255.0
 duplex auto
 speed auto
 crypto map mymap
!
interface Vlan1
 ip address 10.10.3.1 255.255.255.0
!
ip forward-protocol nd
no ip http server
no ip http secure-server
!
ip route 0.0.0.0 0.0.0.0 1.1.1.9 track 101
ip route 0.0.0.0 0.0.0.0 1.1.1.51 200
ip route 2.2.2.78 255.255.255.255 1.1.1.9
!
ip sla 101
 icmp-echo 2.2.2.78 source-interface FastEthernet4
 timeout 500
 threshold 499
 frequency 3
ip sla schedule 101 life forever start-time now
access-list 101 permit ip 10.10.3.0 0.0.0.255 any
access-list 102 permit ip 10.10.3.0 0.0.0.255 any
!
end
Labels:
0 Helpful
5 Replies 5

Mohammad Alhyari
Cisco Employee
Cisco Employee

‎08-29-2011 01:49 AM

hi ,

so routing is responsible for switching the VPN path here , can you share the following when the problem is there :

show ip route

show crypto isa sa

show crypto ipsec sa

cheers !

0 Helpful

sudan_023
Level 1
Level 1
In response to Mohammad Alhyari

‎08-30-2011 02:19 AM

hello mohammad, yes routing is responsible for switching the vpn path. here is the output form these show commands:

BRANCH#sh ip route (when the primary link of HO is UP i.e 2.2.2.78)
S*    0.0.0.0/0 [1/0] via 1.1.1.9


BRANCH#sh ip route (when the primary link of HO is Down i.e 2.2.2.78)


S*    0.0.0.0/0 [1/0] via 1.1.1.51



BRANCH#sh crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
202.166.219.52  202.166.219.51  QM_IDLE           2006 ACTIVE
202.166.219.52  202.166.217.78  QM_IDLE           2005 ACTIVE



BRANCH#sh access-lists
Extended IP access list 101
    10 permit ip 10.10.3.0 0.0.0.255 any (160 matches)
Extended IP access list 102
    10 permit ip 10.10.3.0 0.0.0.255 any (160 matches)

Mohammad the main problem is with the access-list the traffic keep matching both
access lists. If the primary tunnel goes down the access list didnt switch to the 
backup tunnel. Default route does change. CHEERS MATE!!! waiting for the solution.
0 Helpful

Mohammad Alhyari
Cisco Employee
Cisco Employee
In response to Mohammad Alhyari

‎08-30-2011 02:38 AM

Hi ,

the problem for sure is not with the access-list if you still see hits on both access-lists then the router is doing load balancing on both interfaces , can you share the full show ip route if possibe!

regards.

0 Helpful

Lee Valentin
Level 1
Level 1

‎08-29-2011 09:04 AM

Use the Cisco Embedded Event Manager to track when the primary ISP goes down and tell it to run commands to bring the tunnel down on primary.

You can also create a policy when the reverse happens. This is all dynamic within the Cisco IOS.

Cisco EEM information can be found here

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_eem_overview.html

0 Helpful

Mohammad Alhyari
Cisco Employee
Cisco Employee
In response to Lee Valentin

‎08-30-2011 02:43 AM

hi , at the time of the issue if you are still seeing hits on both access-lists , then this means the router is doing loadbalancing for the destination ?

please share the full output of the "show ip route"

regards.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents