09-01-2015 07:11 AM - edited 02-21-2020 08:26 PM
Hi All,
I'm currently configuring a redundant setup of two ISR 4451-X routers. For some reason I don't get how to configure a high available IPSec Tunnel with Static Virtual Tunnel Interfaces (SVTI) on each router.
Setup is as follows:
ASA1- R1 -\
= WAN Switch -> ISP
ASA2- R2 -/
Routers have following VRF instances:
- InternetVRF <-> ISP interface
- TestUntrustVRF <-> ASA Interconnect Untrust Zone
- TestVpnVRF <-> ASA interconnect VPN Zone + SVTI
ASA Test Context:
- TRUST Zone
- UNTRUST Zone
- DMZ Zone
- VPN Zone
Everything is configured with static routing for now, but dynamic routing protocols will be used in future on the VTIs.
The problem I'm facing is that inter-device redundancy, nor SSO redudancy is supported on the 4451-X devices. Which means my SVTI can not be placed in High Availability or am I missing some elementary information?
Is there some way to configure a Stateful or Stateless IPSec failover mechanism into these routers with the use of VTI? I have already been trying to configure a redundancy group and add the tunnel interface as "redundancy rii", without any sign of improvement.
I would like to maintain VTI interfaces since the usage of routing protocols, QoS, managability are more in my personal favor than a crypto map redundancy solution. Otherwise I could have used the ASA VPN IPsec functionality as well.
Hoping anyone can help me on this case!
Kind Regards,
N.
09-01-2015 07:36 AM
For VTIs you achieve your redundancy by using routing-protocols over both tunnels or by using next-hop-tracking with IP SLA. To my knowledge, that's all that can be done and it gives you also a good flexibility in your deployment.
09-02-2015 02:48 AM
So this means if we want to set-up a tunnel with a third-party, they will have to use next-hop-tracking to succeed in routing traffic when one of our routers is down? Meaning one static route with a tracking object and a static floating route with a higher metric.
Extra Question:
I'm feeling like the ISR4451-X is the only one not supporting any decent form of HA then:
- all ISR G2 routers can use IPC with "redudancy inter-device", causing a reload of the active router when for example a link fails. Usable with stateful failover of VTI interfaces
- all ASR routers have the possibility to run "redundancy mode sso or rfr". Usable with stateful failover of VTI interface.
Thanks you for your reply.
09-02-2015 03:18 AM
> - all ISR G2 routers can use IPC with "redudancy inter-device", causing a reload of the active router when for example a link fails. Usable with stateful failover of VTI interfaces
That can be achieved by EEM. But why do you want to reload a device if you only need VPN-redundancy which can be achieved much easier?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide