norteldude78
IS-IT--Management
Hello,
Topology:
/---- R3-----\
/ \
R1 ---- R2---S1 S2----R5
\ /
\---- R4-----/
I have set up router R2 to have an ipsec tunnel to an HSRP address shared by R3 and R4
when R1 sends pings to R5 the tunnel comes up.
R3 is the active router and when I run "show crypto isakmp sa" it is QM_IDLE which is good.
When I shut R3's HSRP interface the tunnel does not automatically fail over to R4. It looks like R2 is stil using the same SA to encrypt traffic.
This is a "debug crypto isakmp" on R4:
*Mar 1 02:12:32.563: %HSRP-6-STATECHANGE: FastEthernet2/0 Grp 1 state Standby -> Active
*Mar 1 02:12:33.675: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=172.12.234.34, prot=50, spi=0x418AEB73(1099623283), srcaddr=172.12.234.2
*Mar 1 02:12:33.687: ISAKMP: received ke message (3/1)
*Mar 1 02:12:33.687: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 172.12.234.34 dst 172.12.234.2 for SPI 0x418AEB73
*Mar 1 02:12:39.691: ISAKMP: received ke message (3/1)
*Mar 1 02:12:39.695: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 172.12.234.34 dst 172.12.234.2 for SPI 0x418AEB73
R4#
If I run "clear crypto session" on R2 the tunnel immediately comes up.
Any ideas how to have R2 clear the session on it's own?
Here are configs:
R2 Config:
R3 and R4 Config
(R3 is the same except it is .3, and has priority of 105)
Thanks,
Bryan
Topology:
/---- R3-----\
/ \
R1 ---- R2---S1 S2----R5
\ /
\---- R4-----/
I have set up router R2 to have an ipsec tunnel to an HSRP address shared by R3 and R4
when R1 sends pings to R5 the tunnel comes up.
R3 is the active router and when I run "show crypto isakmp sa" it is QM_IDLE which is good.
When I shut R3's HSRP interface the tunnel does not automatically fail over to R4. It looks like R2 is stil using the same SA to encrypt traffic.
This is a "debug crypto isakmp" on R4:
*Mar 1 02:12:32.563: %HSRP-6-STATECHANGE: FastEthernet2/0 Grp 1 state Standby -> Active
*Mar 1 02:12:33.675: %CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=172.12.234.34, prot=50, spi=0x418AEB73(1099623283), srcaddr=172.12.234.2
*Mar 1 02:12:33.687: ISAKMP: received ke message (3/1)
*Mar 1 02:12:33.687: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 172.12.234.34 dst 172.12.234.2 for SPI 0x418AEB73
*Mar 1 02:12:39.691: ISAKMP: received ke message (3/1)
*Mar 1 02:12:39.695: ISAKMP: ignoring request to send delete notify (no ISAKMP sa) src 172.12.234.34 dst 172.12.234.2 for SPI 0x418AEB73
R4#
If I run "clear crypto session" on R2 the tunnel immediately comes up.
Any ideas how to have R2 clear the session on it's own?
Here are configs:
R2 Config:
Code:
access-list 101 permit ip host 1.1.1.1 host 5.5.5.5
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco address 172.12.234.34 no-xauth
!
crypto ipsec transform-set ESP_DES_SHA esp-des esp-sha-hmac
!
crypto map CMAP1 1 ipsec-isakmp
set peer 172.12.234.34
set transform-set ESP_DES_SHA
match address 101
!
int fa2/0
ip address 172.12.234.2 255.255.255.0
crypto map CMAP1R3 and R4 Config
(R3 is the same except it is .3, and has priority of 105)
Code:
access-list 101 permit ip host 5.5.5.5 host 1.1.1.1
!
crypto isakmp policy 1
authentication pre-share
group 2
crypto isakmp key cisco address 172.12.234.2 no-xauth
!
crypto ipsec transform-set ESP_DES_SHA esp-des esp-sha-hmac
!
crypto map CMAP1 1 ipsec-isakmp
set peer 172.12.234.2
set transform-set ESP_DES_SHA
match address 101
reverse-route
!
int f2/0
ip address 172.12.234.4 255.255.255.0
standby 1 ip 172.12.234.34
standby 1 priority 100
standby 1 preempt
standby 1 name HSRP
standby 1 track fastEthernet 0/0
crypto map CMAP1 redundancy HSRP
!Thanks,
Bryan