Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

IKE SA is too slow !!!

Status
Not open for further replies.
Luxxor

Luxxor

Technical User
Feb 27, 2009
8
DE

Hi all,

This is a LAB Configuration! (There is 3 Routers)
1. R1 & R2 are Configured with HSRP Protocol and the
2. R1 is the Active Router and R2 is Standby Router
3. 3ed Router KR is connect to the VIP address (HSRP ip address) from R1 & R2
4. I configured VPN tunnel between VIP address and KR.

My popes are to make a Static VPN connection between KR and HSRP VIP address.
And HSRP and VPN is working BUT

Somehow i noticed when I plug out the R1 e0 active port cable then it takes approximately 38sek to activate the standby Router R2 port to active.

When I plug that cable again it will takes approximately 1min to build connection.
* In my opinion this is too slow*

Does someone have a idea why that it takes so much time!
and im realy thank for any help :)

Here is my Hole Configuration:

Router KR: >>>
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 28800
crypto isakmp key avodaq address 10.1.3.10 255.255.255.224
crypto isakmp keepalive 10
crypto ipsec optional retry 60
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map VPN-2-R1 10 ipsec-isakmp
set peer 10.1.3.10
set transform-set VPN
set pfs group2
match address 100
!
interface Tunnel0
ip address 10.1.4.1 255.255.255.224
keepalive 5 4
tunnel source FastEthernet0/0
tunnel destination 10.1.3.10
tunnel key 123
!
interface FastEthernet0/0
ip address 10.1.3.21 255.255.255.224
speed 100
full-duplex
crypto map VPN-2-R1
!
interface FastEthernet0/1
ip address 10.1.3.62 255.255.255.224
speed 100
full-duplex
!
no ip http server
no ip http secure-server
ip classless
ip route 10.1.2.0 255.255.255.224 10.1.3.10
!
access-list 100 permit esp 10.1.3.32 0.0.0.31 10.1.2.0 0.0.0.31
access-list 100 permit ip 10.1.3.32 0.0.0.31 10.1.2.0 0.0.0.31
access-list 101 deny ip any any

Router R1: >>>
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
lifetime 86000
crypto isakmp key avodaq address 10.1.3.21 255.255.255.224
crypto isakmp keepalive 10
crypto ipsec optional retry 60
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map VPN-2-KR 10 ipsec-isakmp
description cisco
set peer 10.1.3.21
set transform-set VPN
set pfs group2
match address 111
!
interface Tunnel0
ip address 10.1.4.2 255.255.255.224
keepalive 5 4
tunnel source 10.1.3.10
tunnel destination 10.1.3.21
tunnel key 123
!
interface FastEthernet0/0
ip address 10.1.3.20 255.255.255.224
duplex auto
speed 100
standby 1 ip 10.1.3.10
standby 1 timers msec 999 2
standby 1 priority 120
standby 1 preempt
standby 1 authentication 123
standby 1 name VPN-KR
standby 1 track FastEthernet0/1 20
crypto map VPN-2-KR redundancy VPN-KR
!
interface FastEthernet0/1
ip address 10.1.2.20 255.255.255.224
duplex auto
speed 100
standby 2 ip 10.1.2.2
standby 2 timers msec 999 2
standby 2 priority 110
standby 2 preempt
standby 2 authentication 321
!
router rip
network 10.0.0.0
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.3.21
!
!
access-list 111 permit esp 10.1.2.0 0.0.0.31 10.1.3.32 0.0.0.31
access-list 111 permit ip 10.1.2.0 0.0.0.31 10.1.3.32 0.0.0.31
access-list 112 deny ip any any

Router R2: >>>
crypto isakmp keepalive 10
crypto ipsec optional retry 60
!
crypto ipsec security-association lifetime seconds 28800
!
crypto ipsec transform-set VPN esp-3des esp-sha-hmac
crypto ipsec df-bit clear
!
crypto map VPN-2-KR 10 ipsec-isakmp
description cisco
set peer 10.1.3.21
set transform-set VPN
set pfs group2
match address 112
!
interface Tunnel0
ip address 10.1.4.3 255.255.255.224
tunnel source FastEthernet0/1
tunnel destination 10.1.3.21
!
interface FastEthernet0/0
ip address 10.1.2.30 255.255.255.224
speed auto
full-duplex
standby 2 ip 10.1.2.2
standby 2 timers msec 999 2
standby 2 preempt
standby 2 authentication 321
standby 2 track FastEthernet0/0
!
interface FastEthernet0/1
ip address 10.1.3.30 255.255.255.224
duplex auto
speed 100
standby 1 ip 10.1.3.10
standby 1 timers msec 999 2
standby 1 priority 110
standby 1 preempt
standby 1 authentication 123
standby 1 name VPN-2-KR1
crypto map VPN-2-KR redundancy VPN-2-KR1
!
router rip
network 10.0.0.0
!
ip http server
no ip http secure-server
ip classless
ip route 0.0.0.0 0.0.0.0 10.1.3.21
!
access-list 112 permit ip 10.1.2.0 0.0.0.31 10.1.3.32 0.0.0.31
access-list 112 permit esp 10.1.2.0 0.0.0.31 10.1.3.32 0.0.0.31
access-list 113 deny ip any any


 
Status
Not open for further replies.

Similar threads

WinstonCH
  • Locked
  • Helpful tip
What is wrong with the diagram, there are people who will help to fix it? How do i do the configurat 1
Replies
1
Views
551
BIS
BIS
quazimotto
  • Locked
  • Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
154
quazimotto
quazimotto
stanlyn
  • Locked
  • Question
HowTo Install Multiple PAP2T ATA Devices on Same Lan
Replies
3
Views
307
iggsterman
iggsterman
hairyprogrammer1
  • Locked
  • Question
What is my Speed...?
Replies
1
Views
150
iggsterman
iggsterman
phonedudeSr
  • Locked
  • Question
Cisco Unity Connection Subscriber issue
Replies
2
Views
235
phonedudeSr
phonedudeSr

Part and Inventory Search

Sponsor

Back
Top