Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1070
Views
0
Helpful
3
Replies

IPSec High-Availability on SVTI with 2x ISR4451-X

niels.dutry
Level 1
Level 1

‎09-01-2015 07:11 AM - edited ‎02-21-2020 08:26 PM

Hi All,

I'm currently configuring a redundant setup of two ISR 4451-X routers. For some reason I don't get how to configure a high available IPSec Tunnel with Static Virtual Tunnel Interfaces (SVTI) on each router.

Setup is as follows:

ASA1- R1 -\

                      =  WAN Switch -> ISP

ASA2- R2 -/

  • WAN interface on each router is connected towards a WAN switch. The WAN interface is configured in HSRP mode with R1 as Primary.
  • Each router has a subinterface in each serving as interconnect network towards the ASA context's untrust zone. Also configured in HSRP with R1 as primary router.
  • ASA is setup as Active-Passive (ASA1 Primary) with security context mode enabled
  • The setup is multi-tentant so multiple VRF instances are created for manageability/separation/overlap.

 

Routers have following VRF instances:

- InternetVRF <-> ISP interface

- TestUntrustVRF <-> ASA Interconnect Untrust Zone

- TestVpnVRF <-> ASA interconnect VPN Zone + SVTI

 

ASA Test Context:

- TRUST Zone

- UNTRUST Zone

- DMZ Zone

- VPN Zone

 

Everything is configured with static routing for now, but dynamic routing protocols will be used in future on the VTIs.

The problem I'm facing is that inter-device redundancy, nor SSO redudancy is supported on the 4451-X devices. Which means my SVTI can not be placed in High Availability or am I missing some elementary information?

Is there some way to configure a Stateful or Stateless IPSec failover mechanism into these routers with the use of VTI? I have already been trying to configure a redundancy group and add the tunnel interface as "redundancy rii", without any sign of improvement.

I would like to maintain VTI interfaces since the usage of routing protocols, QoS, managability are more in my personal favor than a crypto map redundancy solution. Otherwise I could have used the ASA VPN IPsec functionality as well.

Hoping anyone can help me on this case!

 

Kind Regards,

N.

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎09-01-2015 07:36 AM

For VTIs you achieve your redundancy by using routing-protocols over both tunnels or by using next-hop-tracking with IP SLA. To my knowledge, that's all that can be done and it gives you also a good flexibility in your deployment.

0 Helpful

niels.dutry
Level 1
Level 1
In response to Karsten Iwen

‎09-02-2015 02:48 AM

So this means if we want to set-up a tunnel with a third-party, they will have to use next-hop-tracking to succeed in routing traffic when one of our routers is down? Meaning one static route with a tracking object and a static floating route with a higher metric.

 

Extra Question:

I'm feeling like the ISR4451-X is the only one not supporting any decent form of HA then:

- all ISR G2 routers can use IPC with "redudancy inter-device", causing a reload of the active router when for example a link fails. Usable with stateful failover of VTI interfaces

- all ASR routers have the possibility to run "redundancy mode sso or rfr". Usable with stateful failover of VTI interface.

 

Thanks you for your reply.

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to niels.dutry

‎09-02-2015 03:18 AM

> - all ISR G2 routers can use IPC with "redudancy inter-device", causing a reload of the active router when for example a link fails. Usable with stateful failover of VTI interfaces

That can be achieved by EEM. But why do you want to reload a device if you only need VPN-redundancy which can be achieved much easier?

 

0 Helpful
Customers Also Viewed These Support Documents