dynamic ip FlexVPN Hub Redundancy Router - Page 2

katheer_4u · ‎03-08-2020

Good day

Please advise me how I can configure the dynamic ip FlexVPN Hub Redundancy Router? Can I use the HSRP or VRRP ?

I have both routers are ISR 4331/K9

WAN prots are L3

LAN Ports are L2

Thanks

Rob Ingram · ‎03-09-2020

No. The configuration of the routers is independant, and is not replicated.
You will need to manually configure the interfaces and hsrp standby configuration on the other router.

katheer_4u · ‎03-09-2020

Dear RJI

its give error message and VPN dosent want up

HO-FLXVPN-Standby#show standby
GigabitEthernet0/0/0 - Group 2 (version 2)
State is Active
1 state change, last state change 00:14:33
Virtual IP address is 192.168.100.234
Active virtual MAC address is 0000.0c9f.f002 (MAC In Use)
Local virtual MAC address is 0000.0c9f.f002 (v2 default)
Hello time 15 msec, hold time 50 msec
Next hello sent in 0.016 secs
Preemption enabled
Active router is local
Standby router is 192.168.100.233, priority 100 (expires in 0.064 sec)
Priority 110 (configured 110)
Track object 1 (unknown)
Group name is "hsrp-Gi0/0/0-2" (default)
Vlan1 - Group 1 (version 2)
State is Active
2 state changes, last state change 00:14:28
Virtual IP address is 192.168.250.1
Active virtual MAC address is 0000.0c9f.f001 (MAC In Use)
Local virtual MAC address is 0000.0c9f.f001 (v2 default)
Hello time 15 msec, hold time 50 msec
Next hello sent in 0.016 secs
Preemption enabled
Active router is local
Standby router is 192.168.250.4, priority 100 (expires in 0.064 sec)
Priority 110 (configured 110)
Track object 2 (unknown)
Group name is "hsrp-Vl1-1" (default)

Rob Ingram · ‎03-09-2020

Ok, yes you'll need the FlexVPN load balancer configuration. Check out this link, make the required amendments, if you still have an issue please provide the configuration of both routers and I'll assist further if required.

HTH

katheer_4u · ‎03-09-2020

Dear RJI

Please see the attached both router

Rob Ingram · ‎03-09-2020

Hi,

Try this please:-

HUB 1

interface GigabitEthernet0/0/0
 standby 2 name IKEV2_LB

crypto ikev2 cluster
 holdtime 10000
 standby-group IKEV2_LB
 no shutdown

HUB2

interface GigabitEthernet0/0/0
 standby 2 name IKEV2_LB

crypto ikev2 cluster
 holdtime 10000
 standby-group IKEV2_LB
 slave priority 90
 slave max-session 10
 no shutdown

Provide the output of the commands "show crypto ikev2 sa detail" and "show crypto ikev2 cluster"

HTH

katheer_4u · ‎03-10-2020

Dear RJI

this config in WAN part right

how about the LAN part

Rob Ingram · ‎03-10-2020

The standby-group name needs configuring on the physical interface before the ikev2 cluster command is defined.

interface GigabitEthernet0/0/0
 standby 2 name IKEV2_LB

crypto ikev2 cluster
 standby-group IKEV2_LB

HTH

Rob Ingram · ‎03-10-2020

You only need the IKEv2 cluster configuration referencing the standby-group of the WAN facing interface that the tunnel is terminating on. As long as you have HSRP configured on the LAN interfaces and it is working ok, that should be fine.

katheer_4u · ‎03-10-2020

Dear RJI

Please see the below logs still im receiving some error

HO-FLXVPN#show crypto ikev2 sa detail
HO-FLXVPN#show crypto ikev2 sa detail
IPv4 Crypto IKEv2 SA

Tunnel-id Local Remote fvrf/ivrf Status
1 192.168.100.234/4500 80.211.110.18/4500 none/none IN-NEG
Encr: AES-CBC, keysize: 128, PRF: SHA256, Hash: SHA256, DH Grp:19, Auth sign: PSK, Auth verify: PSK
Life/Active Time: 86400/0 sec
CE id: 1394, Session-id: 0
Status Description: Responder verifying AUTH payload
Local spi: 23B4FB1D6BA51573 Remote spi: 4FD336631F6C1EF6
Local id: 192.168.100.234
Remote id: 192.168.100.150
Local req msg id: 0 Remote req msg id: 1
Local next msg id: 0 Remote next msg id: 2
Local req queued: 0 Remote req queued: 1
Local window: 1 Remote window: 5
DPD configured for 0 seconds, retry 0
Fragmentation not configured.
Extended Authentication not configured.
NAT-T is detected inside
Cisco Trust Security SGT is disabled
Initiator of SA : No

IPv6 Crypto IKEv2 SA

HO-FLXVPN#show crypto ikev2 cluster

Role : CLB Master
Status : Up
CLB Slaves : 0
Cluster IP : 192.168.100.234
Hold time : 10000 msec
Overload limit : 90%
Codes : '*' Least loaded, '-' Overloaded

Load statistics:
Gateway Role Last-seen Prio Load IKE IPsec FQDN
---------------------------------------------------------------------
*192.168.100.233 Master -- 90 21.6% 0 0

++++++++++++++++

*Mar 10 18:53:11.668: %CDP-4-NATIVE_VLAN_MISMATCH: Native VLAN mismatch discovered on GigabitEthernet0/1/0 (1), with FAIL_SWITCH GigabitEthernet1/0/24 (11).

+++++++++++++++++++++++++++++++++++++

*Mar 10 18:45:58.795: IKEv2:(SESSION ID = 193,SA ID = 20):Stopping timer to wait for auth message
*Mar 10 18:45:58.795: IKEv2:(SESSION ID = 193,SA ID = 20):Checking NAT discovery
*Mar 10 18:45:58.795: IKEv2:(SESSION ID = 193,SA ID = 20):NAT INSIDE found
*Mar 10 18:45:58.795: IKEv2:(SESSION ID = 193,SA ID = 20):NAT detected float to init port 4500, resp port 4500
*Mar 10 18:45:58.795: IKEv2:(SESSION ID = 193,SA ID = 20):
*Mar 10 18:45:59.244: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:45:59.687: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:45:59.710: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:45:59.753: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:45:59.758: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:00.105: IKEv2-ERROR:: Negotiation context locked currently in use
(255.255.255.255)
*Mar 10 18:46:00.527: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:00.705: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:00.724: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:00.730: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:01.379: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:01.799: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:01.829: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:02.060: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:02.097: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:02.447: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:02.465: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:02.754: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:02.778: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:03.007: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:03.336: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:03.378: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:03.502: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:03.627: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:04.045: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:04.404: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:04.408: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:04.482: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:04.613: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:04.655: IKEv2-ERROR:: Negotiation context locked currently in use
Translating "uall"...domain server (255.255.255.255)
*Mar 10 18:46:09.009: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:09.307: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:09.330: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:09.617: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:09.655: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:09.953: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:10.180: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:10.349: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:10.403: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:10.558: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:10.641: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:10.884: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:11.184: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:11.393: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:11.669: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:11.803: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:11.964: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:11.986: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:12.167: IKEv2-ERROR:: Negotiation context locked currently in use
*Mar 10 18:46:16.390: IKEv2:(SESSION ID = 174,SA ID = 1):Verification of peer's authentication data FAILED
*Mar 10 18:46:16.390: IKEv2:(SESSION ID = 174,SA ID = 1):Sending authentication failure notify
*Mar 10 18:46:16.390: IKEv2:(SESSION ID = 174,SA ID = 1):Building packet for encryption.
Payload contents:
NOTIFY(AUTHENTICATION_FAILED)

++++++++++++++++++++++++++++++++++

Rob Ingram · ‎03-10-2020

Can you please provide the configuration for the 2 hub routers and a spoke (that doesnt work). Can you also run debug on the spoke whilst it attempts to establish a tunnel and upload the output for review.