09-14-2007 03:30 AM - edited 02-21-2020 03:16 PM
Hi , I have a pair of 2821 routers which are configured as ipsec hubs with inter-device redundancy . I use 2 interfaces with HSRP "HA-OUT" to terminate ipsec over vti tunnels and 2 interaces on with HSRP "HA-OUT-ENC" for encapsulated IPSEC .Question is now , can I have redundancy inter-device , scheme standby HA-OUT and scheme standby HA-OUT-ENC ?
09-21-2007 08:25 AM
The following link discusses about the IPSEC redundancy
http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a0080094c1f.shtml
The debug dialer and several show command outputs displayed here show the primary link as failed, and dialer watch recognizesthe lost route. The router then initiates the backup link and OSPF converges through the secondary link. Each time the idle timeout expires, the router checks whether the primary link is down. If the primary link is found to be up, dialer watch disconnects the backup link after the disable timer expires and tears down the call, and OSPF converges by way of the primary link as usual
09-21-2007 11:07 AM
Hi ,
I was talking about statefull HA IPSEC redundancy. The problem I have is that you configure an sctp connection between the 2 devices over which they exchange state . This sctp connection is linked with the HSRP group that is configured on the interfaces , but you cannot link it at the same time to a second HSRP group .
redundancy inter-device
scheme standby HA-out
security ipsec sso-secure
you cannot add a second scheme in here
And that is what I'd like to do
07-20-2017 01:01 AM
HA IPSEC not on redundancy inter-device command.
its in the interface.
ex.
interface GigabitEthernet0/0
standby 2 name ISP-B
crypto map VPN redundancy ISP-B stateful
interface GigabitEthernet0/2
standby 1 name ISP-A
crypto map VPN2 redundancy ISP-A stateful
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide