cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1077
Views
0
Helpful
4
Replies

time to failover for customer with multiple peers going to one crypto map on ISR

jasonww04
Level 1
Level 1

Hi everybody,

 

I have one crypto map with multiple peers and one peer set as default. The customer initiates traffic and so brings the VPN up. When the default peer dies and the secondary peer starts sending traffic, will my router automatically bring the VPN up to the second peer or will it wait for the phase 1 and/or 2 timers to expire on the default peer?

 

Are all the DPD settings used in ISAKMP profiles and crypto maps only if I am initiating?

4 Replies 4

Hi,
DPD should be configured on the remote router, if it detects the preferred peer is down it will clear the SA's of the primary peer, at which point it should establish a tunnel to the secondary peer. How fast would depend on your DPD timers.

If you want an alternate solution, you could use VTI's and have 2 tunnels up in parallel. You could load balance (ECMP) over both tunnels at the same time or use a delay on the routing protocol to prefer one tunnel over the other. When the primary peer fails the secondary VPN tunnel would have already be established, it's just reliant on the routing protocol timers to detect a failed peer.

HTH

So if the customer peers use DPD then the failover is based on those timers? My side does not initiate traffic so I'm wondering how failover works. Customer router A is sending traffic and then internet goes down. Customer router B starts sending traffic. Does my ISR just start a VPN with customer router B or does the VPN with router A need to time out?

Yes, DPD can be configured on-demand or periodic. If the primary peer does not respond to a dpd r u there message then the SAs will be cleared and the secondary tunnel should be established.

Try configuring your router with DPD as well, so if the Cust Router A goes offline, your router clears the SAs in order for Cust Router B to successfully establish a vpn.

DPD si used to detect peer status. Without DPD declaring that peer is dead,
the router has to wait for SA to expire.

The time to failover to 2nd can be tweaked by tweaking DPD timers and
retries.

Also, DPD will detect regardless of the initiator.