IPSec HA with HSRP

I posted an issue that I had on this configuration a day or two ago.  Not surprising that I got "0" responses.  So I figured since I wasn't going to get any help on this I would keep reading and labbing it up on my own.  Today I built the lab in dynamips.  I actually think I have it working, but the lab guide has a few typos, and it isnt clear on the behavior.  I used the resource posted on the Internetwork Expert Resources section but it seems to be a document that is NOT for the hardware platforms you would see in the lab.  Needless to say, it was no help. 

So here is where I am at. 

I have R2 connected to R3's HSRP VIP.  I can ping between 150.1.2.1 and 150.1.1.1.  I can verify that R2 and R3 have an SA.

I have HSRP working and I can fail the tracked interface of R3 and R4 takes over as Active router.  With a continuous ping it takes just over 1 minute to renegotiate the SA on R4 with R2 and then the ping picks right back up.  Up to this point with the HA it looks like its working. 

Here is where I think its not right.  When I bring the interface back up on R# where preempt is configured I think it should become active again, establish a new SA and then pick up the pings again.  Instead HSRP does not go active on R3.  If I force it back by failing the interface on R4 then R3 does not negotiate a new SA on R3 instead it tells me that there is an invalid SPI. 

 

Is this configuration supposed to only be successful in one direction?  If not, what am I doing wrong?  Any guidance is appreciated.

 

Here is my .NET file:

 

autostart = False
[localhost:7200]
    workingdir = /tmp
    [[2621]]
        image = /users/brandoncarroll/Documents/dynalab/dynacode/c2600-ik9o3s3-mz.123-26.image
        ghostios = True
        chassis = 2621
    [[ROUTER R1]]
        model = 2621
        console = 2001
        f0/0 = SW1 1
        x = -334.951226765
        y = 16.9167388793
        configuration = IQp2ZXJzaW9uIDEyLjMKc2VydmljZSB0aW1lc3RhbXBzIGRlYnVnIGRhdGV0aW1lIG1zZWMKc2VydmljZSB0aW1lc3RhbXBzIGxvZyBkYXRldGltZSBtc2VjCm5vIHNlcnZpY2UgcGFzc3dvcmQtZW5jcnlwdGlvbgohCmhvc3RuYW1lIHIxCiEKYm9vdC1zdGFydC1tYXJrZXIKYm9vdC1lbmQtbWFya2VyCiEKIQptZW1vcnktc2l6ZSBpb21lbSAxNQpubyBhYWEgbmV3LW1vZGVsCmlwIHN1Ym5ldC16ZXJvCmlwIGNlZgohCiEKIQppcCBhdWRpdCBwbyBtYXgtZXZlbnRzIDEwMAohCiEKIQohCiEKIQohCiEKIQohCiEKIQohCiEKISAKIQohCiEKIQppbnRlcmZhY2UgTG9vcGJhY2swCiBpcCBhZGRyZXNzIDE1MC4xLjEuMSAyNTUuMjU1LjI1NS4wCiBpcCByaXAgYWR2ZXJ0aXNlIDMKIQppbnRlcmZhY2UgRmFzdEV0aGVybmV0MC8wCiBpcCBhZGRyZXNzIDEzNi4xLjEzNC4xIDI1NS4yNTUuMjU1LjAKIGlwIHJpcCBhZHZlcnRpc2UgMwogZHVwbGV4IGF1dG8KIHNwZWVkIGF1dG8KIQppbnRlcmZhY2UgRmFzdEV0aGVybmV0MC8xCiBubyBpcCBhZGRyZXNzCiBzaHV0ZG93bgogZHVwbGV4IGF1dG8KIHNwZWVkIGF1dG8KIQpyb3V0ZXIgcmlwCiB2ZXJzaW9uIDIKIHRpbWVycyBiYXNpYyAzIDE4IDE4IDI0CiBuZXR3b3JrIDEzNi4xLjAuMAogbmV0d29yayAxNTAuMS4wLjAKIG5vIGF1dG8tc3VtbWFyeQohCmlwIGh0dHAgc2VydmVyCm5vIGlwIGh0dHAgc2VjdXJlLXNlcnZlcgppcCBjbGFzc2xlc3MKIQohCiEKIQohCiEKIQohCmxpbmUgY29uIDAKbGluZSBhdXggMApsaW5lIHZ0eSAwIDQKIQohCmVuZAo=
    [[ROUTER R4]]
        model = 2621
        console = 2004
        f0/0 = SW1 2
        f1/0 = SW2 1
        x = -127.556349186
        y = -218.994949366
        configuration = IQp2ZXJzaW9uIDEyLjMKc2VydmljZSB0aW1lc3RhbXBzIGRlYnVnIGRhdGV0aW1lIG1zZWMKc2VydmljZSB0aW1lc3RhbXBzIGxvZyBkYXRldGltZSBtc2VjCm5vIHNlcnZpY2UgcGFzc3dvcmQtZW5jcnlwdGlvbgohCmhvc3RuYW1lIFI0CiEKYm9vdC1zdGFydC1tYXJrZXIKYm9vdC1lbmQtbWFya2VyCiEKIQptZW1vcnktc2l6ZSBpb21lbSAxNQpubyBhYWEgbmV3LW1vZGVsCmlwIHN1Ym5ldC16ZXJvCmlwIGNlZgohCiEKIQppcCBhdWRpdCBwbyBtYXgtZXZlbnRzIDEwMAohCiEKIQohCiEKIQohCiEKIQohCiEKIQohCiEKISAKIQpjcnlwdG8gaXNha21wIHBvbGljeSAxMAogZW5jciAzZGVzCiBoYXNoIG1kNQogYXV0aGVudGljYXRpb24gcHJlLXNoYXJlCmNyeXB0byBpc2FrbXAga2V5IGNjaWUgYWRkcmVzcyAxMzYuMS4yMzQuMgpjcnlwdG8gaXNha21wIGtlZXBhbGl2ZSAxMAohCiEKY3J5cHRvIGlwc2VjIHRyYW5zZm9ybS1zZXQgM2Rlcy1tZDUgZXNwLTNkZXMgZXNwLW1kNS1obWFjIAohCmNyeXB0byBtYXAgdnBuIDEwIGlwc2VjLWlzYWttcCAKIHNldCBwZWVyIDEzNi4xLjIzNC4yCiBzZXQgdHJhbnNmb3JtLXNldCAzZGVzLW1kNSAKIG1hdGNoIGFkZHJlc3MgcjEtdG8tcjIKIHJldmVyc2Utcm91dGUKIQohCiEKIQppbnRlcmZhY2UgRmFzdEV0aGVybmV0MC8wCiBpcCBhZGRyZXNzIDEzNi4xLjEzNC40IDI1NS4yNTUuMjU1LjAKIGlwIHJpcCBhZHZlcnRpc2UgMwogZHVwbGV4IGF1dG8KIHNwZWVkIGF1dG8KIQppbnRlcmZhY2UgRmFzdEV0aGVybmV0MC8xCiBubyBpcCBhZGRyZXNzCiBzaHV0ZG93bgogZHVwbGV4IGF1dG8KIHNwZWVkIGF1dG8KIQppbnRlcmZhY2UgRmFzdEV0aGVybmV0MS8wCiBpcCBhZGRyZXNzIDEzNi4xLjIzNC40IDI1NS4yNTUuMjU1LjAKIGlwIHJpcCBhZHZlcnRpc2UgMwogZHVwbGV4IGF1dG8KIHNwZWVkIGF1dG8KIHN0YW5kYnkgMSBpcCAxMzYuMS4yMzQuMjU0CiBzdGFuZGJ5IDEgbmFtZSBIU1JQMQogY3J5cHRvIG1hcCB2cG4gcmVkdW5kYW5jeSBIU1JQMQohCnJvdXRlciByaXAKIHZlcnNpb24gMgogdGltZXJzIGJhc2ljIDMgMTggMTggMjQKIHJlZGlzdHJpYnV0ZSBzdGF0aWMgbWV0cmljIDEKIG5ldHdvcmsgMTM2LjEuMC4wCiBubyBhdXRvLXN1bW1hcnkKIQppcCBodHRwIHNlcnZlcgpubyBpcCBodHRwIHNlY3VyZS1zZXJ2ZXIKaXAgY2xhc3NsZXNzCiEKIQohCmlwIGFjY2Vzcy1saXN0IGV4dGVuZGVkIHIxLXRvLXIyCiBwZXJtaXQgaXAgMTUwLjEuMS4wIDAuMC4wLjI1NSAxNTAuMS4yLjAgMC4wLjAuMjU1CmlwIGFjY2Vzcy1saXN0IGV4dGVuZGVkIHIyLXRvLXIxCiEKIQohCiEKIQohCmxpbmUgY29uIDAKbGluZSBhdXggMApsaW5lIHZ0eSAwIDQKIQohCmVuZAo=
    [[ROUTER R3]]
        model = 2621
        console = 2003
        f0/0 = SW1 3
        f1/0 = SW2 2
        x = 134.865007051
        y = 19.372583002
        configuration = IQp2ZXJzaW9uIDEyLjMKc2VydmljZSB0aW1lc3RhbXBzIGRlYnVnIGRhdGV0aW1lIG1zZWMKc2VydmljZSB0aW1lc3RhbXBzIGxvZyBkYXRldGltZSBtc2VjCm5vIHNlcnZpY2UgcGFzc3dvcmQtZW5jcnlwdGlvbgohCmhvc3RuYW1lIFIzCiEKYm9vdC1zdGFydC1tYXJrZXIKYm9vdC1lbmQtbWFya2VyCiEKIQptZW1vcnktc2l6ZSBpb21lbSAxNQpubyBhYWEgbmV3LW1vZGVsCmlwIHN1Ym5ldC16ZXJvCmlwIGNlZgohCiEKIQppcCBhdWRpdCBwbyBtYXgtZXZlbnRzIDEwMAohCiEKIQohCiEKIQohCiEKIQohCiEKIQohCiEKIQohIAohCmNyeXB0byBpc2FrbXAgcG9saWN5IDEwCiBlbmNyIDNkZXMKIGhhc2ggbWQ1CiBhdXRoZW50aWNhdGlvbiBwcmUtc2hhcmUKY3J5cHRvIGlzYWttcCBrZXkgY2NpZSBhZGRyZXNzIDEzNi4xLjIzNC4yCmNyeXB0byBpc2FrbXAga2VlcGFsaXZlIDEwCiEKIQpjcnlwdG8gaXBzZWMgdHJhbnNmb3JtLXNldCAzZGVzLW1kNSBlc3AtM2RlcyBlc3AtbWQ1LWhtYWMgCiEKY3J5cHRvIG1hcCB2cG4gMTAgaXBzZWMtaXNha21wIAogc2V0IHBlZXIgMTM2LjEuMjM0LjIKIHNldCB0cmFuc2Zvcm0tc2V0IDNkZXMtbWQ1IAogbWF0Y2ggYWRkcmVzcyByMS10by1yMgogcmV2ZXJzZS1yb3V0ZQohCiEKIQohCmludGVyZmFjZSBGYXN0RXRoZXJuZXQwLzAKIGlwIGFkZHJlc3MgMTM2LjEuMTM0LjMgMjU1LjI1NS4yNTUuMAogaXAgcmlwIGFkdmVydGlzZSAzCiBkdXBsZXggYXV0bwogc3BlZWQgYXV0bwohCmludGVyZmFjZSBGYXN0RXRoZXJuZXQwLzEKIG5vIGlwIGFkZHJlc3MKIHNodXRkb3duCiBkdXBsZXggYXV0bwogc3BlZWQgYXV0bwohCmludGVyZmFjZSBGYXN0RXRoZXJuZXQxLzAKIGlwIGFkZHJlc3MgMTM2LjEuMjM0LjMgMjU1LjI1NS4yNTUuMAogaXAgcmlwIGFkdmVydGlzZSAzCiBkdXBsZXggYXV0bwogc3BlZWQgYXV0bwogc3RhbmRieSAxIGlwIDEzNi4xLjIzNC4yNTQKIHN0YW5kYnkgMSBwcmVlbXB0CiBzdGFuZGJ5IDEgbmFtZSBIU1JQMQogc3RhbmRieSAxIHRyYWNrIEZhc3RFdGhlcm5ldDAvMCAyMAogY3J5cHRvIG1hcCB2cG4gcmVkdW5kYW5jeSBIU1JQMQohCnJvdXRlciByaXAKIHZlcnNpb24gMgogdGltZXJzIGJhc2ljIDMgMTggMTggMjQKIHJlZGlzdHJpYnV0ZSBzdGF0aWMgbWV0cmljIDEKIG5ldHdvcmsgMTM2LjEuMC4wCiBubyBhdXRvLXN1bW1hcnkKIQppcCBodHRwIHNlcnZlcgpubyBpcCBodHRwIHNlY3VyZS1zZXJ2ZXIKaXAgY2xhc3NsZXNzCiEKIQohCmlwIGFjY2Vzcy1saXN0IGV4dGVuZGVkIHIxLXRvLXIyCiBwZXJtaXQgaXAgMTUwLjEuMS4wIDAuMC4wLjI1NSAxNTAuMS4yLjAgMC4wLjAuMjU1CmlwIGFjY2Vzcy1saXN0IGV4dGVuZGVkIHIyLXRvLXIxCiEKIQohCiEKIQohCmxpbmUgY29uIDAKbGluZSBhdXggMApsaW5lIHZ0eSAwIDQKIQohCmVuZAo=
    [[ROUTER R2]]
        model = 2621
        console = 2002
        f0/0 = SW2 3
        x = -21.1471862576
        y = -87.2548339959
        configuration = IQp2ZXJzaW9uIDEyLjMKc2VydmljZSB0aW1lc3RhbXBzIGRlYnVnIGRhdGV0aW1lIG1zZWMKc2VydmljZSB0aW1lc3RhbXBzIGxvZyBkYXRldGltZSBtc2VjCm5vIHNlcnZpY2UgcGFzc3dvcmQtZW5jcnlwdGlvbgohCmhvc3RuYW1lIFIyCiEKYm9vdC1zdGFydC1tYXJrZXIKYm9vdC1lbmQtbWFya2VyCiEKIQptZW1vcnktc2l6ZSBpb21lbSAxNQpubyBhYWEgbmV3LW1vZGVsCmlwIHN1Ym5ldC16ZXJvCmlwIGNlZgohCiEKIQppcCBhdWRpdCBwbyBtYXgtZXZlbnRzIDEwMAohCiEKIQohCiEKIQohCiEKIQohCiEKIQohCiEKISAKIQpjcnlwdG8gaXNha21wIHBvbGljeSAxMAogZW5jciAzZGVzCiBoYXNoIG1kNQogYXV0aGVudGljYXRpb24gcHJlLXNoYXJlCmNyeXB0byBpc2FrbXAga2V5IGNjaWUgYWRkcmVzcyAxMzYuMS4yMzQuMjU0CiEKIQpjcnlwdG8gaXBzZWMgdHJhbnNmb3JtLXNldCAzZGVzLW1kNSBlc3AtM2RlcyBlc3AtbWQ1LWhtYWMgCiEKY3J5cHRvIG1hcCB2cG4gMTAgaXBzZWMtaXNha21wIAogc2V0IHBlZXIgMTM2LjEuMjM0LjI1NAogc2V0IHRyYW5zZm9ybS1zZXQgM2Rlcy1tZDUgCiBtYXRjaCBhZGRyZXNzIHIyLXRvLXIxCiEKIQohCiEKaW50ZXJmYWNlIExvb3BiYWNrMAogaXAgYWRkcmVzcyAxNTAuMS4yLjIgMjU1LjI1NS4yNTUuMAohCmludGVyZmFjZSBGYXN0RXRoZXJuZXQwLzAKIGlwIGFkZHJlc3MgMTM2LjEuMjM0LjIgMjU1LjI1NS4yNTUuMAogZHVwbGV4IGF1dG8KIHNwZWVkIGF1dG8KIGNyeXB0byBtYXAgdnBuCiEKaW50ZXJmYWNlIEZhc3RFdGhlcm5ldDAvMQogbm8gaXAgYWRkcmVzcwogc2h1dGRvd24KIGR1cGxleCBhdXRvCiBzcGVlZCBhdXRvCiEKaXAgaHR0cCBzZXJ2ZXIKbm8gaXAgaHR0cCBzZWN1cmUtc2VydmVyCmlwIGNsYXNzbGVzcwppcCByb3V0ZSAwLjAuMC4wIDAuMC4wLjAgMTM2LjEuMjM0LjI1NAohCiEKIQppcCBhY2Nlc3MtbGlzdCBleHRlbmRlZCByMi10by1yMQogcGVybWl0IGlwIDE1MC4xLjIuMCAwLjAuMC4yNTUgMTUwLjEuMS4wIDAuMC4wLjI1NQohCiEKIQohCiEKIQpsaW5lIGNvbiAwCmxpbmUgYXV4IDAKbGluZSB2dHkgMCA0CiEKIQplbmQK
    [[ETHSW SW1]]
        1 = access 1
        2 = access 1
        3 = access 1
        x = 137.428932188
        y = 162.0
    [[ETHSW SW2]]
        1 = access 2
        2 = access 2
        3 = access 2
        x = -281.176190233
        y = -214.840620434
[GNS3-DATA]
    m11 = 0.25
    m22 = 0.25

Comments



  • Brandon,

    I'm working on a blog post for this scenario, as it seems to be confusing to many. Basically, the failover procedure relies on IKE DPD feature. HSRP failover and DPD work in parallel:

    1) The primary HSRP router loses active status for some reason. This could be due to tracked object failure, or simply because of the secondary router losing contact with the primary. In the worst case of losing the primary router it make take slightly more than HSRP holdtime for the secondary router to take over VIP. This is the amount of the time required for the virtual router to become functional again. You can tune HSRP timers to some really low values (even msecs) to permit this failover to occur as fast as possible.

    2) As soon as HSRP primary becomes unreachable, and the remote IPsec router has data to send to the "virtual" IPsec router, DPD procedure kicks in (in parallel with HSRP failover). After the DPD interval expires (minimum 10 seconds) the remote gateway will start "poking" the vritual router with IKE DPD R-U-THERE message sent at periodic intervals. If the virtual router does not respond, the remote gateway drops ISAKMP SA and tries to re-establish it once again. The command for tuning DPD is "crypto isakmp keepalive <n>". You can read more about DPD in RFC 3706.

    3) At this moment, it takes some time to negotiate the new SA. After this, the traffic may flow again. 

    Based on all the above, you may see that the minimum time it takes for IPsec/ISAKMP to re-negotiate a failed SA with the virtual router is around 20 seconds (roughly, i'll verify the exact times with my blog scenario). It could not be tuned to a better value, since the minimum interval to start DPD is 10 seconds.

    Petr




    ----- Original Message -----
    From: "brandoncarroll" <[email protected]>
    Sent: Thu, November 6, 2008 8:57
    Subject: [IEWB-SC-VOL1-V3] IPSec HA with HSRP


    I posted an issue that I had on this configuration a day or two ago.  Not surprising that I got "0" responses.  So I figured since I wasn't going to get any help on this I would keep reading and labbing it up on my own.  Today I built the lab in dynamips.  I actually think I have it working, but the lab guide has a few typos, and it isnt clear on the behavior.  I used the resource posted on the Internetwork Expert Resources section but it seems to be a document that is NOT for the hardware platforms you would see in the lab.  Needless to say, it was no help. 

    So here is where I am at. 

    I have R2 connected to R3's HSRP VIP.  I can ping between 150.1.2.1 and 150.1.1.1.  I can verify that R2 and R3 have an SA.

    I have HSRP working and I can fail the tracked interface of R3 and R4 takes over as Active router.  With a continuous ping it takes just over 1 minute to renegotiate the SA on R4 with R2 and then the ping picks right back up.  Up to this point with the HA it looks like its working. 

    Here is where I think its not right.  When I bring the interface back up on R# where preempt is configured I think it should become active again, establish a new SA and then pick up the pings again.  Instead HSRP does not go active on R3.  If I force it back by failing the interface on R4 then R3 does not negotiate a new SA on R3 instead it tells me that there is an invalid SPI. 

     

    Is this configuration supposed to only be successful in one direction?  If not, what am I doing wrong?  Any guidance is appreciated.



    --
    View this message online at: http://ieoc.com/forums/p/3882/12409.aspx#12409
    --
    Internetwork Expert - The Industry Leader in CCIE Preparation

    http://www.internetworkexpert.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
    <!>

  • Petr,

    Thanks so much for your response. Thanks also for the blog post.  I commented on the blog with a few more questions.  Maybe It will clear some things up for other students.

     

    Thanks!

    Brandon

Sign In or Register to comment.