Solved: Re: VPN Failover not working - C1117 router

Stephen Carter · ‎08-12-2024

Hi all,

I've have routers with the following config -

crypto map tunnel-vpn 10 ipsec-isakmp

set peer xxx.xxx.xxx.xxx default

set peer zzz.zzz.zzz.zzz

set security-association lifetime seconds 28800

set transform-set tunnel-vpn-site-link-ts

match address site-to-tunnel-vpn-acl

reverse-route

VPN tunnel comes up with no issues but when we do a failover - the tunnels on C1117 devices don't failover.

I've even removed the 'default' from the config with no joy.

Any one any ideas as why not failing over - something being cached somewhere ?

Stephen Carter · ‎10-02-2024

A long over due update, so the last post was -

From checking we are thinking that the following statement (missing from the remote end) may resolve the issue -

crypto isakmp keepalive 10 2 periodic

And the resultant testing showed that the above statement needs to be present at BOTH ends of the link, in effect each end is checking and monitoring the VPN link - so when the link goes down - each end will then detect that and subsequently then fail over as per configuration.

View solution in original post

MHM Cisco World · ‎08-12-2024

One side have one crypto map two peers

Other side must have two crypto map, Am I correct?

MHM

Stephen Carter · ‎08-12-2024

No, Site A has two peer configured - Site C (primary) and Site D (secondary), when site C goes down the vpn tunnel from site A to site C should be detected as down and failover to site D. Once Site C comes back online then if default configured, the tunnel will move back to Site C.

We have this configured on C897's and C1117's, and for some reason on the C1117's the tunnel doesn't failover - it remains 'trying' to the primary site.

MHM Cisco World · ‎08-12-2024

Site C abd D use RRI or not?

MHM

ccieexpert · ‎08-12-2024

you are way better off using VTI and a routing protocol or even ip sla... VTI was meant for these type of scenarios.

if you still want to do crypto map, then Please share your config and version, and also debugs

https://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/113594-trouble-ios-ike-00.html

Stephen Carter · ‎08-14-2024

Whilst VTI would be the best way to go - the implementation of this would be a nightmare in our current set up.

From checking we are thinking that the following statement (missing from the remote end) may resolve the issue -

crypto isakmp keepalive 10 2 periodic

Once tested I'll report back.

MHM Cisco World · ‎08-14-2024

Now I will explain case here as expert in VPN' your case is need to analysis topolgy before we can know answer

Two peer have same remote LAN

Either

A- it two separate peer device and you run hsrp

B- one device with two ISP

Which cases ypu have ?

MHM

Stephen Carter · ‎08-15-2024

Here's a diagram of what we have -

MHM Cisco World · ‎08-15-2024

HQ want to send traffic to 1.1.1.1 as it config as peer default, but the GW of host is send traffic toward 1.1.1.2

Two router have same LAN must run hsrp or vrrp. Etc.

From there we must check vpn failover

MHM

Stephen Carter · ‎10-02-2024

A long over due update, so the last post was -

From checking we are thinking that the following statement (missing from the remote end) may resolve the issue -

crypto isakmp keepalive 10 2 periodic

And the resultant testing showed that the above statement needs to be present at BOTH ends of the link, in effect each end is checking and monitoring the VPN link - so when the link goes down - each end will then detect that and subsequently then fail over as per configuration.

MHM Cisco World · ‎10-02-2024

But keepalive is run by defualt.

MHM