ā09-10-2010 09:33 AM
I am setting up EasyVPN with multipule branches to 2 headends. One headend as primary and the other as secondary. In the branch router I am using DPD for failover. Is there a way to control the fail back timer or manual fail back?
Here is the scenario:
After failover, when I have continuous traffic going towards the secondary, the branch will not fail back. Once the traffic stop it will fail back. With over 100 branches it is very hard for me to manage. Plus I want to fail back off working hours.
crypto ipsec client ezvpn EZVPN-Remote
connect auto
group easyvpn-group key EzVPNkey
mode network-extension
peer 159.208.33.113 default
peer 192.26.212.114
username ccsiadmin password W0rkfr0MH0m3
xauth userid mode local
Thanks for you input.
ā09-11-2010 04:11 AM
Hi Joe,
I am afraid the behavior you have experienced is expected. If you want dynamic failover and switch back, you can consider using routing protocol on top VPN.
Regards,
Lei Tian
ā09-13-2010 03:01 PM
Thanks for the respond. Do you know what is the default timer for the DPD for the failover?
I couldn't find that in the documentation. Will there be a chance base on the IPSec rekey time?
ā09-14-2010 03:53 AM
Hi Joe,
The DPD is used to check the peer liveness, and remove isakmp sa for dead peer. There is no default timer; it uses the timer configured by 'crypto isakmp keepalive'.
The switchback to primary peer happens when the current peer has been idle for some time. This timer is configured by 'set security-association idle-time', and there is no default value.
HTH,
Lei Tian
ā09-14-2010 05:29 AM
The failover in this sceniro is either the hub 1 goes down and client connects to hub2
or the primary_wan interface goes down and then the connection goes to sec_want interface and in either case keepalives and idel timer will not kick a new SA as you need routing and in this case you might want to configure ip sla monitoring to track the static routes.
keepalives will clear the stale SA's.
Cheers
ā09-14-2010 08:10 AM
Hey it's not working. On head-end I have configured "
crypto isakmp keepalive 20 periodic" on branch I have same config. Once I kill the outside
interface of the head-end it will not fail over to the backup head-end.
Also after I shutdown interface of head-end you can still see the isakmp ACTIVE on the head-end to the branch site and on the branch site you can still see the isakmp active to the head-end even though the Head-end interface is shut down, this is EasyVPN to clarify.
ā09-14-2010 08:19 AM
Hi Joe,
When you shutdown the easyvpn server's interface, do you still have reachability to the peer IP from remote? Do you have active traffic from remote to server?
Regards,
Lei Tian
ā09-14-2010 08:23 AM
No access to the Peer IP
from remote, yes we do have active traffic from
remote to server. Were trying to simulate the live environment. There is a IP phone and thin clinet at remote end which would be creating the traffic (and mangement traffic)
ā09-14-2010 08:27 AM
That doesn't sound the right behavior.
Can you post the configure on one of the remote and configure on the server; what are the IOS version running on them?
Regards,
Lei Tian
ā09-14-2010 08:45 AM
Branch config running IOS c880data-universalk9-mz.124-20.T3.bin
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime localtime
no service password-encryption
!
hostname Branch_Lab
!
boot-start-marker
boot-end-marker
!
logging message-counter syslog
logging buffered 4096
no logging console
enable secret 5 $1$OFnN$.WaaLmnE0H22TZa44RtwG/
!
no aaa new-model
!
crypto pki trustpoint TP-self-signed-1655380819
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1655380819
revocation-check none
rsakeypair TP-self-signed-1655380819
!
!
crypto pki certificate chain TP-self-signed-1655380819
certificate self-signed 01
3082024D 308201B6 A0030201 02020101 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363535 33383038 3139301E 170D3130 30313134 32303239
33375A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36353533
38303831 3930819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
81008A78 D1BE2841 CE39F3A6 0BFFE7D7 9BA5D318 0985DD65 C6F5CB1A 97318976
C6C0F41B CD6FE041 961F3570 0FD2DE1E B61B29AF 82A194B6 E9D780D0 76730E45
52064B8A E77256B8 9FBEED68 5F93F807 00986F59 CD0C6213 39F9B975 497B546B
C38A9B8B 47B87C55 BBC9881B B626370A 215F7550 1684D1DE E97C9C02 BA453FAD
EC210203 010001A3 75307330 0F060355 1D130101 FF040530 030101FF 30200603
551D1104 19301782 15427261 6E63682E 796F7572 646F6D61 696E2E63 6F6D301F
0603551D 23041830 168014B8 7B0B07FD D371366F 0B21264D 3B0EB461 8F085F30
1D060355 1D0E0416 0414B87B 0B07FDD3 71366F0B 21264D3B 0EB4618F 085F300D
06092A86 4886F70D 01010405 00038181 0044F2C2 CFF10BFC 66C95D0F 4FEA5C79
F27D28E1 4F08DF3D 261E0FEA 1F936B5B 7A5C552F 06772947 62CCA6BA 23659488
A55EA76E 62EDE17E 67D92BDA 4509E889 18344300 CE2D2C27 1A0EE2E6 F7DA3B09
29A82BE1 E042054A 7953B36E 242B35B1 C90C9AB5 4EABC339 C72D12AF DF004036
0EEA0F39 8B242732 15940E81 6FC108F7 79
quit
ip source-route
!
!
ip dhcp excluded-address 10.214.0.1
ip dhcp excluded-address 10.214.0.2
ip dhcp excluded-address 10.214.0.3
ip dhcp excluded-address 10.214.8.1
ip dhcp excluded-address 10.214.8.2
ip dhcp excluded-address 10.214.8.3
!
ip dhcp pool REMOTE_LOCAL_POOL
network 10.214.8.0 255.255.255.248
default-router 10.214.8.1
dns-server x.x.x.x x.x.x.x
option 161 ascii x.x.x.x
option 162 ascii /
lease 33
!
ip cef
no ip domain lookup
ip domain name x.x.x.x
!
no ipv6 cef
!
multilink bundle-name authenticated
!
!
!
crypto isakmp keepalive 20 periodic
!
crypto ipsec security-association idle-time 60
!
!
!
!
crypto ipsec client ezvpn EZVPN-Remote
connect auto
group easyvpn-group key EzVPNkey
mode network-extension
peer x.x.x.x default
peer x.x.x.x
username XXXX password XXXX
xauth userid mode local
!
!
archive
log config
hidekeys
!
!
!
!
!
interface FastEthernet0
!
interface FastEthernet1
!
interface FastEthernet2
!
interface FastEthernet3
!
interface FastEthernet4
ip address x.x.x.x 255.255.255.248
ip access-group Internet_R3_In in
ip access-group Internet_R3_Out out
no ip redirects
no ip proxy-arp
speed 100
full-duplex
crypto ipsec client ezvpn EZVPN-Remote
!
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.214.8.1 255.255.255.248
no ip redirects
no ip proxy-arp
ip tcp adjust-mss 1452
no autostate
crypto ipsec client ezvpn EZVPN-Remote inside
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
no ip http server
no ip http secure-server
!
!
!
ip access-list extended Internet_In
permit udp any eq bootps any eq bootpc
permit tcp any any eq 22
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
deny ip any any log
ip access-list extended Internet_Out
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq isakmp
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq isakmp
deny ip any any log
ip access-list extended Internet_R3_In
permit udp any eq bootps any eq bootpc
permit tcp any any eq 22
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
--More-- deny ip any any log
ip access-list extended Internet_R3_Out
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq isakmp
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq isakmp
ip access-list extended port4000
permit udp any any eq 4000 log
permit tcp any any eq 3389 log
permit udp any any eq 3471 log
permit udp any any eq 9427 log
permit udp any any eq 17185 log
permit udp any any eq 6901 log
permit ip any any
!
logging trap notifications
logging source-interface Vlan1
logging x.x.x.x
access-list 10 permit x.x.x.x 0.0.0.255
access-list 20 permit x.x.x.x
snmp-server community x.x.x.x RO
snmp-server community x.x.x.x RW
snmp-server community x.x.x.x RO 10
snmp-server community x.x.x.x RW 20
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps envmon
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host x.x.x.x snmp
snmp-server host x.x.x.x config
snmp-server host x.x.x.x snmp
snmp-server host x.x.x.x snmp
snmp-server host x.x.x.x snmp
snmp-server host x.x.x.x snmp
no cdp run
!
!
!
!
--More-- !
control-plane
!
!
line con 0
logging synchronous
login local
no modem enable
line aux 0
line vty 0 4
privilege level 15
login local
transport input ssh
!
scheduler max-task-time 5000
end
Head-end config using IOS: c3845-advipservicesk9-mz.124-15.T14.bin
version 12.4
service timestamps debug datetime msec
service timestamps log datetime localtime
service password-encryption
!
hostname
!
boot-start-marker
boot system flash:c3845-advipservicesk9-mz.124-15.T14.bin
boot-end-marker
!
logging buffered 50000
!
aaa new-model
!
!
aaa authentication login EASYVPN_xauth local
aaa authorization network EasyVPN_author local
!
!
aaa session-id common
!
crypto pki trustpoint TP-self-signed-3558073547
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3558073547
revocation-check none
rsakeypair TP-self-signed-3558073547
!
!
dot11 syslog
!
!
ip cef
!
!
no ip domain lookup
ip domain name x.x.x.x
ip inspect log drop-pkt
!
multilink bundle-name authenticated
!
voice-card 0
no dspfarm
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
username x.x.x.x
!
!
crypto isakmp policy 2
encr aes
authentication pre-share
group 2
crypto isakmp key userx address x.x.x.x
crypto isakmp key userx address x.x.x.x
crypto isakmp key userx address x.x.x.x
crypto isakmp keepalive 20 periodic
!
crypto isakmp client configuration group easyvpn-group
key EzVPNkey
dns x.x.x.x x.x.x.x
domain x.x.x.x
acl Tunnel-Traffic
save-password
crypto isakmp profile IKE-PROFILE
description PSK group
match identity group easyvpn-group
client authentication list EASYVPN_xauth
isakmp authorization list EasyVPN_author
client configuration address respond
client configuration group easyvpn-group
virtual-template 1
!
crypto ipsec security-association idle-time 60
!
crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
!
crypto ipsec profile IPSEC-PROFILE
set transform-set ESP-AES-128-SHA
set isakmp-profile IKE-PROFILE
!
!
crypto map SunLife-MAP 1 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-128-SHA
match address 100
crypto map SunLife-MAP 2 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-128-SHA
match address 101
crypto map SunLife-MAP 3 ipsec-isakmp
set peer x.x.x.x
set transform-set ESP-AES-128-SHA
match address 102
!
archive
log config
hidekeys
!
!
!
class-map match-any voice_out
match dscp ef
!
!
policy-map WFH_Traffic
description Prioritize VoIP over VDI Traffic
class voice_out
priority 100
class class-default
fair-queue
random-detect dscp-based
random-detect dscp 0 15 40
random-detect dscp 2 12 40
random-detect dscp 4 10 40
random-detect dscp 6 8 40
random-detect dscp 10 20 40
policy-map SHAPE
class class-default
shape average 1500000
service-policy WFH_Traffic
!
!
!
!
!
interface GigabitEthernet0/0
description OUTSIDE
ip address x.x.x.x 255.255.255.0
ip access-group Internet_In in
ip access-group Internet_Out out
no ip redirects
no ip proxy-arp
duplex full
speed 100
media-type rj45
crypto map SunLife-MAP
!
interface GigabitEthernet0/1
description $ES_LAN$
ip address x.x.x.x 255.255.255.0
no ip redirects
no ip proxy-arp
ip flow ingress
ip flow egress
duplex full
speed 100
media-type rj45
!
interface Virtual-Template1 type tunnel
description EasyVPN For PSK Users
ip unnumbered GigabitEthernet0/0
tunnel source GigabitEthernet0/0
tunnel mode ipsec ipv4
tunnel protection ipsec profile IPSEC-PROFILE
service-policy output SHAPE
!
router bgp 64534
no synchronization
bgp log-neighbor-changes
network x.x.x.x mask 255.255.255.248
neighbor x.x.x.x remote-as 65005
neighbor x.x.x.x update-source GigabitEthernet0/1
neighbor x.x.x.x version 4
neighbor x.x.x.x next-hop-self
no auto-summary
!
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 x.x.x.x
ip route 10.65.0.0 255.255.0.0 x.x.x.x
ip route 10.68.0.0 255.255.0.0 x.x.x.x
ip route x.x.x.x 255.255.255.0 x.x.x.x
!
ip flow-top-talkers
top 20
sort-by bytes
!
no ip http server
no ip http secure-server
!
ip access-list extended Internet_In
permit icmp host x.x.x.x host x.x.x.x
permit icmp host x.x.x.x host x.x.x.x
permit tcp any host x.x.x.x eq 22
permit esp any host x.x.x.x
permit udp any host x.x.x.x eq isakmp
ip access-list extended Internet_Out
permit esp host x.x.x.x any
permit udp host x.x.x.x any eq isakmp
ip access-list extended Tunnel-Traffic
permit ip any 10.214.0.0 0.0.255.255
!
logging source-interface GigabitEthernet0/1
logging x.x.x.x
access-list 10 permit x.x.x.x 0.0.0.255
access-list 10 permit x.x.x.x 0.0.0.255
access-list 10 permit x.x.x.x 0.0.0.255
access-list 10 permit x.x.x.x 0.0.0.255
access-list 20 permit x.x.x.x
access-list 100 permit ip 10.214.8.0 0.0.7.255 x.x.x.x 0.0.0.255
access-list 100 permit ip host x.x.x.x x.x.x.x 0.0.0.255
access-list 101 permit ip 10.214.0.0 0.0.255.255 x.x.x.x 0.0.0.255
access-list 101 permit ip host x.x.x.x x.x.x.x 0.0.0.255
access-list 102 permit ip 10.214.0.0 0.0.255.255 x.x.x.x 0.0.0.255
access-list 102 permit ip host x.x.x.x x.x.x.x 0.0.0.255
snmp-server community x.x.x.x RW
snmp-server community x.x.x.x RO
snmp-server community x.x.x.x RO 10
snmp-server community x.x.x.x RW 20
snmp-server enable traps snmp authentication linkdown linkup coldstart warmstart
snmp-server enable traps flash insertion removal
snmp-server enable traps envmon
snmp-server enable traps memory bufferpeak
snmp-server enable traps config-copy
snmp-server enable traps config
snmp-server enable traps entity
snmp-server enable traps cpu threshold
snmp-server enable traps l2tun session
snmp-server enable traps isakmp policy add
snmp-server enable traps isakmp policy delete
snmp-server enable traps isakmp tunnel start
snmp-server enable traps isakmp tunnel stop
snmp-server enable traps ipsec cryptomap add
snmp-server enable traps ipsec cryptomap delete
snmp-server enable traps ipsec cryptomap attach
snmp-server enable traps ipsec cryptomap detach
snmp-server enable traps ipsec tunnel start
snmp-server enable traps ipsec tunnel stop
snmp-server enable traps ipsec too-many-sas
snmp-server host x.x.x.x snmp
snmp-server host x.x.x.x config
snmp-server host x.x.x.x snmp
snmp-server host x.x.x.x snmp
snmp-server host x.x.x.x snmp
snmp-server host x.x.x.x snmp
snmp-server host x.x.x.x snmp
snmp-server host x.x.x.x snmp
!
!
!
!
!
!
control-plane
!
!
!
!
!
!
!
--More-- !
!
!
line con 0
line aux 0
line vty 0 4
access-class 10 in
privilege level 15
logging synchronous
transport input ssh
!
scheduler allocate 20000 1000
!
end
ā09-14-2010 12:55 PM
Hi,
I didn't see any known software defect that matches your case.
One thing you can try is to remove 'crypto ipsec security-association idle-time 60' from the config, and see if that makes any difference.
HTH,
Lei Tian
ā09-14-2010 01:03 PM
Thanks everyone for your help, we configured the Head-end with "set security-association lifetime seconds 120" in the ipsec profile and "keepalive 20 retry 2" in the isakmp profile so the Branch would have this pushed down to their profile. To stop the fail back automatically and to have a controlled fail-back later we configured the "idletime" on the branch site..Seems to be working perfectly after multiple tests
ā09-15-2010 04:05 AM
Thanks for the update Joe. +5
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide