Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
302
Views
0
Helpful
2
Replies

ipsec failover without loosing session

a.diot
Level 1
Level 1

‎10-07-2002 07:51 AM - edited ‎02-21-2020 12:06 PM

hi all ,

I've heard that it was possible to perform failover ipsec without loosing sessions

with ios/ipsec routers and tunnel and routing protocol.

How does it works,

do i need hsrp on inside and outside?

how can i detect if ipsec tunnel on router 1 is down? and force the second one

to become active router?

A sample config or link would be useful.

Thanks

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎10-07-2002 10:30 PM

Stateful failover of IPSec is not available as yet in IOS, although they are talking about it. The best you cna do at the moment is point your IPSec router to a HSRP address at the head-end, and then use the following:

http://www.cisco.com/warp/public/707/ipsec_feat.html

Note the "crypto map redundancy option on the interface.

0 Helpful

mjbriggs
Level 1
Level 1

‎11-07-2002 09:52 AM

Hi ,

Just setting this up myself ! The only IOS that supports HSRP and VPN tunnels is , I believe , 12.2-8.T5 but this will NOT permit stateful tracking of the IPSEC tunnel so if the HSRP group changes you will loose all current sessions .Try looking for IPsec VPN high Availablility Enhancements under ver 12.2 but unless this feature is migrated to other IOS releases I would suspect some other form of HSRP/VPN offering is on the way .This feature permits tracking of a Crypto map to an HSRP name and sends keepalives to ensure tunnels are torn down and re-established on the new HSRP master .

Good luck !

Mike

0 Helpful
Customers Also Viewed These Support Documents