Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1301
Views
0
Helpful
4
Replies

time to failover for customer with multiple peers going to one crypto map on ISR

jasonww04
Level 1
Level 1

‎09-19-2018 12:54 PM - edited ‎09-19-2018 12:55 PM

Hi everybody,

 

I have one crypto map with multiple peers and one peer set as default. The customer initiates traffic and so brings the VPN up. When the default peer dies and the secondary peer starts sending traffic, will my router automatically bring the VPN up to the second peer or will it wait for the phase 1 and/or 2 timers to expire on the default peer?

 

Are all the DPD settings used in ISAKMP profiles and crypto maps only if I am initiating?

Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎09-19-2018 02:26 PM

Hi,
DPD should be configured on the remote router, if it detects the preferred peer is down it will clear the SA's of the primary peer, at which point it should establish a tunnel to the secondary peer. How fast would depend on your DPD timers.

If you want an alternate solution, you could use VTI's and have 2 tunnels up in parallel. You could load balance (ECMP) over both tunnels at the same time or use a delay on the routing protocol to prefer one tunnel over the other. When the primary peer fails the secondary VPN tunnel would have already be established, it's just reliant on the routing protocol timers to detect a failed peer.

HTH
0 Helpful

jasonww04
Level 1
Level 1
In response to Rob Ingram

‎09-19-2018 03:11 PM

So if the customer peers use DPD then the failover is based on those timers? My side does not initiate traffic so I'm wondering how failover works. Customer router A is sending traffic and then internet goes down. Customer router B starts sending traffic. Does my ISR just start a VPN with customer router B or does the VPN with router A need to time out?

0 Helpful

Rob Ingram
VIP
VIP
In response to jasonww04

‎09-19-2018 03:26 PM

Yes, DPD can be configured on-demand or periodic. If the primary peer does not respond to a dpd r u there message then the SAs will be cleared and the secondary tunnel should be established.

Try configuring your router with DPD as well, so if the Cust Router A goes offline, your router clears the SAs in order for Cust Router B to successfully establish a vpn.
0 Helpful

Mohammed al Baqari
Level 11
Level 11

‎09-20-2018 12:50 AM

DPD si used to detect peer status. Without DPD declaring that peer is dead,
the router has to wait for SA to expire.

The time to failover to 2nd can be tweaked by tweaking DPD timers and
retries.

Also, DPD will detect regardless of the initiator.
0 Helpful
Customers Also Viewed These Support Documents