Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations John Tel on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Stateful HA IPSec

Status
Not open for further replies.
abidg

abidg

ISP
Jul 9, 2002
42
GB
Hello,

I am using the following configuration to test an HA IPSec with stateful failover. This config only includes "redundancy", "ipc" and "HSRP" config, that also from one of the two routers. It does not include an IPSec related config.

Problem is when I disable or disconnect the Active HSRP router, after IPSec connection has established and still passing traffic, the Active router crashes. I have tested this both on physical and dynamips and the result is the same.

Am not sure if I am missing something or doing something wrong.

Thanks and regards,

Abid.

---------------------------------------------
ipc zone default
association 1
no shutdown
protocol sctp
local-port 5000
local-ip 192.168.2.2
retransmit-timeout 300 10000
path-retransmit 10
assoc-retransmit 10
remote-port 5000
remote-ip 192.168.2.1
!

!
redundancy inter-device
scheme standby Ext
!
redundancy
!
interface FastEthernet0/1
ip address 192.168.2.2 255.255.255.0
speed 100
full-duplex
standby 1 ip 192.168.2.254
standby 1 priority 110
standby 1 preempt
standby 1 name Ext
crypto map HAMAP redundancy Ext stateful
-------------------------------------------
 
Sort by date Sort by votes
Hello ISPKing - right after I posted this thread, I thought of checking this feature's avability. I think it is only supported on 7200 and a few other high end platforms. I was trying it on 3725s and in another instance on 2921s.

I found this via Cisco feature navigator. Will try it out on 7200 to see how it works and performs. It would be a pity if it happens to be only supported on high end platforms. As, I know a lot of applications where this could have proved valuable. For example, to be used instead of Checkpoint or other firewall solutions.

It could still be used with low end paltforms but that would be without any stateful switch over - stateless. This is of course going to affect connectivity if and when a fail over occurs.

Please do let me know if you find something otherwise.

One thing I must say I found out for sure - dynamips performs exactly as like any other real platform Cisco.

Thanks and regards,

Abid.
 
Upvote 0 Downvote
what version of code are you running on the 3725's??

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)
 
Upvote 0 Downvote
I am using c3725-advipservicesk9-mz.124-23.bin

Am not sure if this feature is supported on 3725 as according to feature navigator it should not be.

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

jobsp90
  • Question
I have a issue in my office hospital network regarding using IPPBX software.
Replies
2
Views
203
DavetheChef
DavetheChef
amelamel
  • Locked
  • Question
port has faulty link
Replies
2
Views
587
ADB100
ADB100
napoleao
  • Locked
  • Question
IPSec VPN
Replies
3
Views
292
napoleao
napoleao
Solarlight1
  • Locked
  • Question
Cisco Config Help/IPSEC VPN
Replies
4
Views
277
ADB100
ADB100
burtsbees
  • Locked
  • Question
convert ZBF (Cisco) to a simple stateful FW config
Replies
0
Views
144
burtsbees
burtsbees

Part and Inventory Search

Sponsor

Back
Top