Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
947
Views
1
Helpful
7
Replies

Failover VPN Tunnel will not come up

Mocisco
Level 1
Level 1

‎11-12-2024 07:59 AM

Hello together, I have configured a VPN Tunnel and the primary tunnel is working fine and is active. The Failover VPN Tunnel does not come up because it has the same address in the ACLs applied. When I try sh crypto session remote 2.2.2.2 (Backup tunnel) it does not display the failover tunnel. Both tunnels have the same configuration except of the peer IP, PSK and they use a different ACL list ( I thought this will resolve this issue).

Labels:
Preview file
1 KB
0 Helpful
7 Replies 7

MHM Cisco World
VIP
VIP

‎11-12-2024 09:41 AM - edited ‎11-13-2024 10:17 AM

MHM

0 Helpful

Rob Ingram
VIP
VIP

‎11-12-2024 10:39 AM

@Mocisco in your router config file you have not supplied the configuration for the backup peer (2.2.2.2).

Essentially you need to configure "set peer 2.2.2.2" under the crypto map, configure the PSK under the keyring and configure the match identity for the remote peer under the IKEV2 profile.

crypto ikev2 keyring KEYRING
peer Primary Tunnel
 address 1.1.1.1
 pre-shared-key sfhgfbfdfgfvvgdvg
peer Backup Tunnel
 address 2.2.2.2
 pre-shared-key sfhgfbfdfgfvvgdvg
!
crypto ikev2 profile NAME
 match identity remote address 1.1.1.1 255.255.255.255
 match identity remote address 2.2.2.2 255.255.255.255
!
crypto map OUTSIDE 5 ipsec-isakmp
 set peer 1.1.1.1 default
 set peer 2.2.2.2

DPD should be enabled as default to clear down the stale IPSec SA if the primary peer goes down, then it should failover to the backup peer.

FYI, crypto maps have been depreciated on IOS-XE routers, using a route based VPN, i.e., FlexVPN DVTI/VTI is the preferred method.

 

0 Helpful

Mocisco
Level 1
Level 1
In response to Rob Ingram

‎11-13-2024 01:41 AM

Sorry forgot to paste the configuration for the backup VPN Tunnel. I have this 

peer Backup Tunnel
 address 2.2.2.2
 pre-shared-key sfhgfbfdfgfvvgdvg

already configured. Will both become active if I put both ips into the same profile and crypto map?

0 Helpful

Rob Ingram
VIP
VIP
In response to Mocisco

‎11-13-2024 01:48 AM

@Mocisco no, a connection will be made to the first peer, only if that fails will it connect to the second peer IP (as defined in the crypto map).

You will still need the match statement in the IKEV2 profile I mentioned.

0 Helpful

Mocisco
Level 1
Level 1
In response to Rob Ingram

‎11-13-2024 01:50 AM - edited ‎11-13-2024 01:52 AM

I need both tunnels should be active and using the same ACL, is that possible?

Rob Ingram
VIP
VIP
In response to Mocisco

‎11-13-2024 01:53 AM

@Mocisco ok, then that is not a failover VPN.

If you want both active, you will need to convert to a route based VPN (not a policy based VPN), such as FlexVPN (or DMVPN).

https://www.cisco.com/c/en/us/support/security/flexvpn/products-configuration-examples-list.html

 

0 Helpful

MHM Cisco World
VIP
VIP
In response to Mocisco

‎11-13-2024 10:18 AM

 I run lab if you want to share it with you send me PM

thanks 

MHM

0 Helpful
Customers Also Viewed These Support Documents