Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
927
Views
0
Helpful
3
Replies

IPSec VPN Failover Issue Cisco 881

vin vinjun
Level 1
Level 1

‎05-29-2017 01:30 AM - edited ‎02-21-2020 09:18 PM

Hi everyone, I have a problem of IPSec VPN Failover of Cisco 881. My vpn server at the Head Offfice has two WANs used for tunnel configuration at the Branch with a primary tunnel and a backup tunnel.

The problem is when the primary WAN down, VPN of Cisco881 does not switch automatically to the backup or when the primary WAN up again after a very short time down, VPN also does not work again until I restart the Cisco 881 or do command "no set peer 1.1.1.1" in (config-crypto-map)#

Here is my configuration

crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
lifetime 28800
crypto isakmp invalid-spi-recovery
!
crypto isakmp peer address 1.1.1.1
set aggressive-mode password pr-test-123456
set aggressive-mode client-endpoint fqdn pr-test-01
!
crypto isakmp peer address 2.2.2.2
set aggressive-mode password bk-test-123456
set aggressive-mode client-endpoint fqdn bk-test-01
!
crypto ipsec transform-set TRAN_TOVMS esp-des esp-md5-hmac
mode tunnel
!
crypto map MAP_TOVMS 1 ipsec-isakmp
description set peer
set peer 1.1.1.1
set peer 2.2.2.2
set transform-set TRAN_TOVMS
match address 110
!
interface Cellular0
ip address negotiated
ip nat outside
ip virtual-reassembly in
encapsulation slip
dialer in-band
dialer idle-timeout 0
dialer string gsm
dialer-group 1
async mode interactive
!
interface FastEthernet0
switchport access vlan 1
no ip address
!
interface FastEthernet1
switchport access vlan 1
no ip address
!
interface FastEthernet2
switchport access vlan 1
no ip address
!
interface FastEthernet3
no ip address
!
interface FastEthernet4
description Connect VNPT
no ip address
duplex auto
speed auto
pppoe enable group global
pppoe-client dial-pool-number 1
!
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
no ip address
!
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
no ip address
!

interface Vlan1
description LAN
ip address 10.32.80.177 255.255.255.240
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
!
interface Dialer1
ip address negotiated
ip mtu 1492
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp pap sent-username ftth password 0 800331fmaxi
no cdp enable
crypto map MAP_TOVMS
!
ip forward-protocol nd
no ip http server
ip http authentication local
no ip http secure-server
!
ip nat inside source list 101 interface Dialer1 overload
ip route 0.0.0.0 0.0.0.0 Dialer1
!

ip sla auto discovery
ip sla 1
icmp-echo 10.1.1.2 source-interface Vlan1
threshold 1000
timeout 1000
frequency 2
ip sla schedule 1 life forever start-time now
access-list 1 permit any
access-list 101 deny ip 10.32.80.176 0.0.0.15 10.0.0.0 0.255.255.255
access-list 101 permit ip 10.32.80.176 0.0.0.15 any
access-list 110 permit ip 10.32.80.176 0.0.0.15 10.0.0.0 0.255.255.255
dialer-list 1 protocol ip permit

Thanks in advance! 

Junvin

Labels:
Preview file
25 KB
0 Helpful
3 Replies 3

Mark Malone
VIP Alumni
VIP Alumni

‎05-29-2017 06:46 AM

Hi

just a thought  use a route-map with ip sla verify reachability and tracking and set the next hop that way so its always pinging and ip that's only available say on vpn A and then when that fails and it cant verify anymore it will push it to the next vpn B

take a look at this as example of what I mean

https://letusexplain.blogspot.com/2014/04/ip-sla-tracking-configuration-with.html

0 Helpful

vin vinjun
Level 1
Level 1
In response to Mark Malone

‎05-30-2017 12:11 AM

Thanks Mark Malone for your response :),

In my case, the Cisco 881 only has one ISP (interface Dialer1) to connect to the internet and dial VPN. It has two tunnels (the primary tunnel and backup tunnel) that are set as two profiles in VPN Server at HeadOffice.  Is that the cisco can failover tunnels with one ISP?

Regards,

VinJun

0 Helpful

Mark Malone
VIP Alumni
VIP Alumni
In response to vin vinjun

‎05-30-2017 12:39 AM

The problem is when the primary WAN down, VPN of Cisco881 does not switch automatically to the backup or when the primary WAN up again after a very short time down, VPN also does not work again until I restart the

ok just re-read that , 1 vpn cant come up when wan is down so backup coming up when wan link is down and there is only 1 link is not going to happen , vpn sites on top of formed circuit as wrap around , circuit must be up for vpn to form , if its not coming back up try increase the lifetime or keep sending interesting traffic across the wan circuit through ip sla , some traffic that would be sent down the vpn that will trigger it to come back up

crypto map xxx 1 set security-association lifetime seconds xxxxxx

0 Helpful
Customers Also Viewed These Support Documents