Re: Help with VPN high-availability with HSRP
From: Kal Han (calikali2006@gmail.com)
Date: Sat Nov 25 2006 - 02:07:52 ART
Hi Jens, Its working just like how you said.
Thank you all again. Its working now.
But my solution is not good. I would like some more input please.
|-----R1-----|
----cat-----PIX------| |-------R3
|-----R2-----|
In this topology, All routers know routes to all the devices.
Using OSPF (before vpn or anything)
So initially R3 has two routes to CAT. ( via R1 and R2 )
Now after I configured VPN, HA, RRI, and redistribute static
using EIGRP, I still see the previous two equal metric
routes on R3 to reach CAT. I did wait for some time
to see the routing table update with EIGRP distributed
static route take priority over OSPF.
It didnt happen.
I set ospf max-paths to 1 and then its working because now
there is only one route ( thru R1 ), everything is good after
this.
But why did I not see the eigrp route install in the routing table ?
given that the same route is advertised by both ospf and eigrp ?
<by route I mean the route for CAT network >
when I filtered the CAT network from R3 using a distribute list in ospf, I
saw
the EIGRP route in the routing table. When I removed the distribute
list, the ospf advertised route is back in the routing table and eigrp
route is gone. ( I did not manipulate any distance or any other parameters)
Thanks
Kal
On 11/24/06, Jens Petter <jenseike@start.no> wrote:
>
> Yoy can not loadbalance the route that you recive via RRI to switch
> network. That would not work, you have
> to make sure your primary hsrp router are the one that are having the best
> metric to this (as long as this
> routers vpn are up).
>
> I am sure that this is part of your problem here. You On the primaryr
> router you should see the route as a static, by on the
> stanby router you need to make shure you learn this from R1 via your
> dynamic routing protocos. In your case you should on
> the standby router see 172.16.0.0/24 as an exstrenal eigrp route ( the one
> you redistribute in to eigrp on your primary), and
> not as an static route. This, you should only see when this router becom
> active..
>
>
>
> only when your primary goes down, you should see this as an static route
> on your standby. Also on R3 you need to see this
> route only coming from your primary.. This route can not loadbalance using
> this type of technology. Vpn HA together with HSRP..
>
> ipsec ha would make sure that when standby router comes up RRI would go in
> to effect on this router. Not before..
>
>
>
> And, NO � you should only see one is isakmp sa on the pix, one as
> 195.1.112.12 as peer� For r1 and r2, only the time active hsrp
> router should ever have the vpn up at any time.
>
>
>
> I still think that you have a routing problem here, you are not matching
> your routing to the hsrp/vpn config. You need to
> think in a little bigger picture here that when you do when you only
> configure vpn`s..
>
>
>
> I would still like to see your other router and pix configs too..
>
>
>
> I did not think that using only eigrp or ospf was going to solve it, just
> found it strange you used both routing protocols for the same networks.
>
> Eigrp will be the only on you see in your routing table between r1, r2 and
> r3 anyway..
>
>
>
> You need to figure out why you have two isakmp as on pix, this should only
> be one. You still need to tune your routing/hsrp config to match.
>
>
>
> Your vpn config looks good, nothing wrong with that
>
>
>
>
>
>
>
> Mvh
>
> Jens Petter Eikeland
>
> Mob 98247550
> Hipercom AS
> ------------------------------
>
> *From:* Kal Han [mailto:calikali2006@gmail.com]
> *Sent:* 25. november 2006 02:23
> *To:* Petr Lapukhov
> *Cc:* Jens Petter; Groupstudy; Cisco certification
> *Subject:* Re: Help with VPN high-availability with HSRP
>
>
>
> Hi
>
> Thanks for your replies.
>
> Here is my topology ( R1 is active )
>
> HSRP is enabled on the interfaces facing PIX.
>
> I am providing the config on PIX
>
>
>
> |-----R1-----|
>
> ----cat-----PIX------| |-------R3
> |-----R2-----|
>
>
>
> I configured VPN between PIX -- R1,R2 virtual IP address.
>
> This is TrinetNT SuperLab-5 Section 11.3
>
> The question asked to redistribute the routes created by
>
> reverse-route using EIGRP. So I am running eigrp between
>
> R1, R2, R3. and redistributing static on R1 and R2.
>
> Even if I remove EIGRP completely and use only OSPF the
>
> behavior is same.
>
>
>
> I removed eigrp now and tried... now.
>
>
>
> Given my topology, R3 has two equal metric routes to reach catalyst.
>
> Does R3 load balance between R1 and R2 ?
>
> (from what I know, only one router should be used, but I dont see that
>
> Is there anything wrong with my hsrp config ? the "show standby" shows
>
> the expected output.)
>
> If so will both R1 and R2 have SAs with PIX meaning there will be two
>
> ike SAs on PIX ? ( this is what is happening )
>
> Or should it be only one SA to which ever is the active router ?
>
> I dont know this stuff. *Looks like both R1 and R2 are trying to bring*
>
> *up the tunnel when I ping from Cat -> R3. R1 is successful in its
> attempt.*
>
> *R2 is failing.* the only debug output I get on failing router R2 is
>
> R2#
> *Mar 1 00:11:23.931: IPSEC(sa_request): ,
> (key eng. msg.) OUTBOUND local= 195.1.112.12, remote= 195.1.112.10,
> local_proxy= 195.1.123.0/255.255.255.0/0/0 (type=4),
> remote_proxy= 172.16.2.0/255.255.255.0/0/0 (type=4),
> protocol= ESP, transform= esp-des esp-sha-hmac ,
> lifedur= 3600s and 4608000kb,
> spi= 0xF6302F18(4130352920), conn_id= 0, keysize= 0, flags= 0x400A
> *Mar 1 00:11:23.931: ISAKMP: received ke message (1/1)
> *Mar 1 00:11:23.931: ISAKMP (0:0): SA request profile is (NULL)
> *Mar 1 00:11:23.931 : ISAKMP: local port 500, remote port 500
> *Mar 1 00:11:23.935: ISAKMP: set new node 0 to QM_IDLE
> *Mar 1 00:11:23.935: ISAKMP: insert sa successfully sa = 82EB5AD8
> *Mar 1 00:11:23.935: ISAKMP (0:1): Can not start Aggressive mode, trying
> Main mode.
> *Mar 1 00:11:23.935: ISAKMP: Looking for a matching key for 195.1.112.10in
default : success
> *Mar 1 00:11:23.935: ISAKMP (0:1): found peer pre-shared key matching
> 195.1.112.10
> *Mar 1 00:11:23.
> R2#935: ISAKMP (0:1): constructed NAT-T vendor-03 ID
> *Mar 1 00:11:23.939: ISAKMP (0:1): constructed NAT-T vendor-02 ID
> *Mar 1 00:11:23.939: ISAKMP (0:1): Input = IKE_MESG_FROM_IPSEC,
> IKE_SA_REQ_MM
> *Mar 1 00:11:23.939: ISAKMP (0:1): Old State = IKE_READY New State =
> IKE_I_MM1
>
> *Mar 1 00:11:23.939: ISAKMP (0:1): beginning Main Mode exchange
> *Mar 1 00:11:23.939: ISAKMP (0:1): sending packet to 195.1.112.10 my_port
> 500 peer_port 500 (I) MM_NO_STATE
> R2#
> *Mar 1 00:11:33.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE...
> *Mar 1 00:11:33.939: ISAKMP (0:1): incrementing error counter on sa:
> retransmit phase 1
> *Mar 1 00:11:33.939: ISAKMP (0:1): retransmitting phase 1 MM_NO_STATE
> *Mar 1 00:11:33.939: ISAKMP (0:1): sending packet to 195.1.112.10 my_port
> 500 peer_port 500 (I) MM_NO_STATE
>
>
>
> Should I see the static route (reverse-route) creation on both
> active and standby routers ? I dont see the static route on the standby
> router.
>
> *Ping Output on CAT in the topology looks like this*
>
> *when I ping R3 from CAT.*
>
> 3750-Switch#ping 195.1.123.3
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
> *.!.!. ( <------------------------------------ ) *
>
>
>
>
>
> PIX Config
>
> pixfirewall(config)# sh run | in crypto
> crypto ipsec transform-set ts esp-des esp-sha-hmac
> crypto map cm 10 ipsec-isakmp
> crypto map cm 10 match address vpn
> crypto map cm 10 set peer 195.1.112.12
> crypto map cm 10 set transform-set ts
> crypto map cm interface outside
> pixfirewall(config)#
> pixfirewall(config)#
> pixfirewall(config)# sh isak
> isakmp enable outside
> isakmp key ******** address 195.1.112.12 netmask 255.255.255.255
> isakmp identity address
> isakmp keepalive 10
> isakmp policy 10 authentication pre-share
> isakmp policy 10 encryption des
> isakmp policy 10 hash md5
> isakmp policy 10 group 2
> isakmp policy 10 lifetime 86400
> pixfirewall(config)#
> pixfirewall(config)# sh cry isa sa
> Total : 2
> Embryonic : 1
> dst src state pending created
> *195.1.112.10 195.1.112.12 MM_SA_SETUP 0 0**
> * 195.1.112.12 195.1.112.10 QM_IDLE 0 1
> pixfirewall(config)#
>
>
>
>
>
> On 11/24/06, *Petr Lapukhov* <petr@internetworkexpert.com> wrote:
>
> Agree with Jens here, I just labbed HA scenario from scratch (HSRP/RRI)
> and had no problems at all, actually. It does take some time for ISAKMP to
>
> renegotiate with standby router, but aside froml this everything works
> fine.
>
> Try labbing *only* the HA scenario in most simplified environment, and
> the debugging output when you shutdown primary router..
>
> 2006/11/24, Jens Petter <jenseike@start.no>:
>
> What do you mean by "only half of my traffic is working fine"... only
> active
> router
> should send at one time. Only when you shut down primary vpn should
> standby
> come up after the standby hsrp comes up..
>
> How do this have anything to do with the standby router? :
> *Ping Output looks like this*
> 3750-Switch#ping 195.1.123.3
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
> *.!.!. ( <------------------------------------ )*
>
> Is this on the standby router??:. Does the tunnel go up/down since you are
> getting some packets trough...
>
> Maybe paste in to us the vpn config on the other side also. Check
> connectivity, Why
> two routing protocols on the same interface?? Why don't you just red that
> static direct on to ospf..
>
> I think you have a much more basic problem here than a problem with HA
>
> Now, have you tested the vpn peering between your standby router and
> the other side of the vpn.. Don't looks like you have good peering here.
> When you set up HA vpn you should first test both vpn peering, make sure
> they
> work fine and that you get your reverese route up before you start
> configuring the HA feature..
>
> .
> I have set up HA vpn`many times, have never had any problems, so please
> show
> your whole config. Don't think you have a problem on the side you are
> showing here, atleast not with HA vpn... You should check why you don't
> get
> that reverse route out to the routing table.. and why you don't have
> isakmp
> peering. That is your
> problem
>
>
> Mvh
> Jens Petter Eikeland
> Mob 98247550
> Hipercom AS
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto: nobody@groupstudy.com] On Behalf Of
> Kal
> Han
> Sent: 24. november 2006 05:36
> To: Groupstudy; Cisco certification
> Subject: Help with VPN high-availability with HSRP
>
> Hi
> I am trying to setup VPN HA using hsrp.
> (R1 is active router and R2 is standby )
> after I configure everything, only half of my traffic is working fine.
> The standby router is always the problem !
> Out of two routers as part of ha, only one is actually able to
> successfully
> encrypt and decrypt the traffic. The other (standby router ) is in
> R2#sh cry isa sa
> dst src state conn-id slot
> 195.1.112.10 195.1.112.12 *MM_NO_STATE* 1 0
>
> type of state.
>
> *Ping Output looks like this*
> 3750-Switch#ping 195.1.123.3
> Type escape sequence to abort.
> Sending 5, 100-byte ICMP Echos to 195.1.123.3, timeout is 2 seconds:
> *.!.!. ( <------------------------------------ )*
>
> Not sure whats wrong, and why the second router is not able to build up
> the
> tunnel.
> Has anyone seen this kind of problem ?
>
> I am running OSPF thru out the network, and I am using EIGRP to
> redistribute
> the static routes created by "reverse-route injection"
>
> On my active router:
> R1#sroute stat
> 172.16.0.0/24 is subnetted, 2 subnets
> S 172.16.2.0 [1/0] via 195.1.112.10 *<---- from my crypto
> access-list*
> R1#
>
> *On my standby router*
>
> R2#sroute stat
>
> *R2# <<<<<<< NO static routes seen here. >>>>>>*
>
> I am attaching both the router configs.
>
> Any help is really appreciated. I tried this multiple times over the
> period of time. I had the same problem always. I am doing something
> wrong. I looked online help but couldnt progress much further.
>
> *R1#sh cry isa sa
> dst src state conn-id slot
> 195.1.112.12 195.1.112.10 QM_IDLE 1 0
> *
>
> *R2#sh cry isa sa
> dst src state conn-id slot
> 195.1.112.10 195.1.112.12 MM_NO_STATE 1 0*
>
>
>
> R1#sh run
> Building configuration...
>
> Current configuration : 2461 bytes
> !
> version 12.2
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R1
> !
> logging queue-limit 100
> !
> memory-size iomem 10
> aaa new-model
> !
> !
> aaa authentication login default group tacacs+
> aaa authentication login NONE none
> aaa authorization auth-proxy default group tacacs+
> aaa session-id common
> ip subnet-zero
> !
> !
> no ip domain lookup
> !
> ip auth-proxy auth-cache-time 15
> ip auth-proxy name AP http
> ip audit notify log
> ip audit po max-events 100
> !
> !
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cceisec address 195.1.112.10
> crypto isakmp keepalive 10
> !
> !
> crypto ipsec transform-set ts esp-des esp-sha-hmac
> !
> crypto map cm 10 ipsec-isakmp
> set peer 195.1.112.10
> set transform-set ts
> match address 180
> reverse-route
> !
> !
> no voice hpi capture buffer
> no voice hpi capture destination
> !
> !
> mta receive maximum-recipients 0
> !
> !
> interface Loopback0
> ip address 11.11.11.11 255.255.255.0
> !
> interface FastEthernet0/0
> ip address 195.1.123.1 255.255.255.0
> ip ospf message-digest-key 1 md5 cciesec
> duplex auto
> speed auto
> !
> interface FastEthernet0/1
> ip address 195.1.112.1 255.255.255.0
> ip auth-proxy AP
> ip ospf message-digest-key 1 md5 cciesec
> ip ospf priority 255
> duplex auto
> speed auto
> standby ip 195.1.112.12
> standby priority 105
> standby preempt
> standby name HI
> crypto map cm redundancy HI
> !
> router eigrp 123
> redistribute static
> network 195.1.112.0
> network 195.1.123.0
> no auto-summary
> !
> router ospf 1
> router-id 11.11.11.11
> log-adjacency-changes
> no capability lls
> area 0 authentication message-digest
> network 11.11.11.0 0.0.0.255 area 0
> network 195.1.112.0 0.0.0.255 area 0
> network 195.1.123.0 0.0.0.255 area 0
> !
> ip http server
> no ip http secure-server
> ip classless
> ip tacacs source-interface Loopback0
> !
> !
> !
> access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
> !
> tacacs-server host 195.1.112.100 key mykey
> tacacs-server directed-request
> radius-server authorization permit missing Service-Type
> call rsvp-sync
> !
> !
> mgcp profile default
> !
> dial-peer cor custom
> !
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> login authentication NONE
> line aux 0
> line vty 0 4
> login authentication NONE
> !
> !
>
> ************************************************************
>
> ************************************************************
>
> R2#sh run
> Building configuration...
>
> Current configuration : 2479 bytes
> !
> version 12.2
> service timestamps debug datetime msec
> service timestamps log datetime msec
> no service password-encryption
> !
> hostname R2
> !
> logging queue-limit 100
> !
> memory-size iomem 10
> aaa new-model
> !
> !
> aaa authentication login default group tacacs+
> aaa authentication login NONE none
> aaa authorization auth-proxy default group tacacs+
> aaa session-id common
> ip subnet-zero
> !
> !
> no ip domain lookup
> !
> ip auth-proxy auth-cache-time 15
> ip auth-proxy name AP http
> ip audit notify log
> ip audit po max-events 100
> !
> !
> !
> crypto isakmp policy 10
> hash md5
> authentication pre-share
> group 2
> crypto isakmp key cceisec address 195.1.112.10
> crypto isakmp keepalive 10
> !
> !
> crypto ipsec transform-set ts esp-des esp-sha-hmac
> !
> crypto map cm 10 ipsec-isakmp
> set peer 195.1.112.10
> set transform-set ts
> match address 180
> reverse-route
> !
> !
> !
> no voice hpi capture buffer
> no voice hpi capture destination
> !
> !
> mta receive maximum-recipients 0
> !
> !
> !
> !
> interface Loopback0
> ip address 22.22.22.22 255.255.255.0
> !
> interface FastEthernet0/0
> ip address 195.1.123.2 255.255.255.0
> ip ospf message-digest-key 1 md5 cciesec
> duplex auto
> speed auto
> !
> interface Serial0/0
> no ip address
> shutdown
> no fair-queue
> !
> interface FastEthernet0/1
> ip address 195.1.112.2 255.255.255.0
> ip auth-proxy AP
> ip ospf message-digest-key 1 md5 cciesec
> duplex auto
> speed auto
> standby ip 195.1.112.12
> standby preempt
> standby name HI
> crypto map cm redundancy HI
> !
> router eigrp 123
> redistribute static
> network 195.1.112.0
> network 195.1.123.0
> no auto-summary
> !
> router ospf 1
> router-id 22.22.22.22
> log-adjacency-changes
> no capability lls
> area 0 authentication message-digest
> network 22.22.22.0 0.0.0.255 area 0
> network 195.1.112.0 0.0.0.255 area 0
> network 195.1.123.0 0.0.0.255 area 0
> !
> ip http server
> no ip http secure-server
> ip classless
> ip tacacs source-interface Loopback0
> !
> !
> !
> access-list 180 permit ip 195.1.123.0 0.0.0.255 172.16.2.0 0.0.0.255
> !
> tacacs-server host 195.1.112.100 key mykey
> tacacs-server directed-request
> radius-server authorization permit missing Service-Type
> call rsvp-sync
> !
> !
> mgcp profile default
> !
> dial-peer cor custom
> !
> !
> line con 0
> exec-timeout 0 0
> logging synchronous
> login authentication NONE
> line aux 0
> line vty 0 4
> login authentication NONE
> !
> !
> end
>
> R2#
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
>
>
>
> --
> Petr Lapukhov, CCIE #16379
> petr@internetworkexpert.com
>
> Internetwork Expert, Inc.
> http://www.InternetworkExpert.com <http://www.internetworkexpert.com/>
> Toll Free: 877-224-8987
> Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4
: Fri Dec 01 2006 - 08:05:48 ART