Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1940
Views
0
Helpful
3
Replies

VPN with backup peers & DPD

stevenmcnamara
Level 1
Level 1

‎04-02-2012 09:02 PM

Hi,

I'm having some problems with Cisco 870 routers connected to Cisco ASA 5550 firewalls via the internet and IPSEC L2L VPN's. The 870 router establishes a tunnel to the default peer without a problem. The crypto map has 4 entries so depending on the traffic being sent through the 870 router there can be up to 4 SPI's using that tunnel

The problem is as follows:

As the underlying connectivity is via the Internet, every now and then we see that the router establishes a tunnel to the backup peer (123.44.55.66). When this happens I end up with two active tunnels, with at least one SPI still active on the default tunnel peer. The problem I have is that on the other end of these tunnels, when the VPN is created to the backup peer it uses RRI to advertise the 870's LAN into our core network. Traffic from the Core will be routed via the backup VPN, but traffic from the 870 can still use the default VPN to send traffic. Asymmetric traffic then breaks connectivity for the site.

So the problem I see is that the 870 router (using DPD) should only ever have one tunnel up, if it detects a problem with that one it should tear it down and establish a tunnel to the backup peer. Traffic would then by symmetric.

Does anyone have any ideas? Any clues why both tunnels stay up?

Cheers

Labels:
0 Helpful
3 Replies 3

stevenmcnamara
Level 1
Level 1

‎04-02-2012 09:37 PM

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsa46834&from=summary

CSCsa46834 seems to describe the problem exactly, but affected versions only show 12.3, we're running

12.4(15)T7

0 Helpful

rizwanr74
Level 7
Level 7

‎04-03-2012 12:56 PM

You need to introduce IP-SLA and track object, to monitor route availability and base on return value, the router will push the traffic either one of the tunnel path.

Please review the config on this thread below and you may want to change it reflect your setup.

https://supportforums.cisco.com/thread/2034251

thanks

0 Helpful

stevenmcnamara
Level 1
Level 1
In response to rizwanr74

‎04-03-2012 04:02 PM

Hi rizwanr74

Thanks for the reply. I don't think that applies here, each client only has a single Internet connection so there is no routing changes required. The redundancy we're looking for is on the ASA firewall endpoint, by having the default peer and then a 2nd peer if that is unavailable. DPD should detect if the default peer is unavailable, tear down the tunnel and then establish to the 2nd peer. We are not seeing the tearing down take place.

Cheers

0 Helpful
Customers Also Viewed These Support Documents