Redundant routers with IPSEC failover

Similar Messages

• IPSec for Redundant DMVPN with VRF

  Hi.
  I have been labbing up a solution using DMVPN and VRF, similar to that described in the blog post here.  It works very well, however when I try to extend the concept to a redundant hub, it breaks with IPSec.  If I remove the tunnel protection, it works fine.
  Does anyone have any ideas about providing IPSec protection to multiple DMVPN tunnels for VRFs to a redundant Hub?
  Thanks.
  Client config (no IPSec):
  interface Tunnel10
  ip vrf forwarding Staff
  ip address 10.254.254.23 255.255.255.0
  no ip redirects
  ip mtu 1416
  ip nhrp authentication MFS
  ip nhrp map multicast 172.16.1.1
  ip nhrp map 10.254.254.1 172.16.1.1
  ip nhrp map 10.254.254.3 172.16.1.3
  ip nhrp map multicast 172.16.1.3
  ip nhrp network-id 10
  ip nhrp holdtime 600
  ip nhrp nhs 10.254.254.1
  ip nhrp nhs 10.254.254.3
  ip tcp adjust-mss 1360
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 10
  interface Tunnel20
  ip vrf forwarding Clients
  ip address 10.254.253.23 255.255.255.0
  no ip redirects
  ip mtu 1416
  ip nhrp authentication MFSC
  ip nhrp map 10.254.253.1 172.16.1.1
  ip nhrp map multicast 172.16.1.1
  ip nhrp map multicast 172.16.1.3
  ip nhrp map 10.254.253.3 172.16.1.3
  ip nhrp network-id 20
  ip nhrp holdtime 600
  ip nhrp nhs 10.254.253.1
  ip nhrp nhs 10.254.253.3
  ip tcp adjust-mss 1360
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 20
  Hub 1:
  interface Tunnel10
  ip vrf forwarding Staff
  ip address 10.254.254.1 255.255.255.0
  no ip redirects
  ip mtu 1416
  ip nhrp authentication MFS
  ip nhrp map multicast dynamic
  ip nhrp network-id 10
  ip nhrp holdtime 360
  ip tcp adjust-mss 1360
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 10
  interface Tunnel20
  ip vrf forwarding Clients
  ip address 10.254.253.1 255.255.255.0
  no ip redirects
  ip mtu 1416
  ip nhrp authentication MFSC
  ip nhrp map multicast dynamic
  ip nhrp network-id 20
  ip nhrp holdtime 360
  ip tcp adjust-mss 1360
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 20
  Hub 2:
  interface Tunnel10
  ip vrf forwarding Staff
  ip address 10.254.254.3 255.255.255.0
  no ip redirects
  ip mtu 1416
  ip nhrp authentication MFS
  ip nhrp map multicast dynamic
  ip nhrp network-id 10
  ip nhrp holdtime 360
  ip nhrp server-only
  ip tcp adjust-mss 1360
  tunnel source FastEthernet0/0
  tunnel mode gre multipoint
  tunnel key 10
  interface Tunnel20
  ip vrf forwarding Clients
  ip address 10.254.253.3 255.255.255.0
  no ip redirects
  ip mtu 1416
  ip nhrp authentication MFSC
  ip nhrp map multicast dynamic
  ip nhrp network-id 20
  ip nhrp holdtime 360
  ip tcp adjust-mss 1360
  tunnel source FastEthernet0/0 tunnel mode gre multipoint
  tunnel key 20

  Under the Hub you have to add
  HUB1
  interface Tunnel10
  ip nhrp map 10.254.254.1
  ip nhrp map multicast < ip add of FastEthernet0/0 for HUB2>
  HUB2
  interface Tunnel10
  ip nhrp map 10.254.254.3
  ip nhrp map multicast < ip add of FastEthernet0/0 for HUB1>
  The same thing for the other tunnel interfaces

• ASA Redundant interfaces with stack switches

  Hi All,
  we have two ASA 5510 connected in failover, and a pair of cisco 2960s switch connected in stack.
  Currently one interface of primary ASA is terminated on switch1 and a interface from standby is connected to switch2 as Inside, and switch1 and switch2 are in stack.
  for redundancy purpose i want to use multiple interfaces of ASA for inside , so first i thought to use etherchannel , but it has a limitation that , it cannot be terminated on stack switch(as per cisco document http://www.cisco.com/en/US/docs/security/asa/asa91/configuration/general/interface_start.html ).
  So my question is :
  1. can we use redundant interface feature where  2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
  2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
  I have attached the nw diagram,
  Regards,
  Ashraf

  Hello Ashraf,
  1. can we use redundant interface feature where  2 physical interfaces combined to a redundant interface (eg interface redundant 1) for inside redundancy purpose.
  Sure, you can. That's the whole purpose of the feature.
  2. Can these ports from primary/standby ASA terminated on stack switches (2960s), will this work (if the switch with active port goes down, will the other port take over in the redundant interface with the other switch).
  It would make sense if that happens, as the status of the interface will be on a different state than up/up so failover to the other interface will be triggered,
  Regards,
  Julio

• Problem with IPSec on  solaris 9

  Hi all
  I'm facing a problem with IPSec on solaris 9 that I didn't have with Solaris 8 (With the Security package installed).
  I've an application that creates SA's by using the pf-key interface.
  What it does is first doing a GETSPI to a specific SPI and a specific Destination IP Address.
  This will create an SA and put it in a LARVAL state. After about a minute my application will do an UPDATE to this SPI and that command should change the state of the SA from LARVAL to MATURE but instead I get an error saying that this SPI & IP address already exist (errno = 17).
  Well of course it's already exist that's the all point it should just change the state of an existing SA.
  This exact scenarion was is working fine on Solaris 8.
  Am I doing somthing wrong (maybe there is a package on the solaris 9 that I need to install ?)
  or is this a bug in solaris 9.
  If anyone has any idea on how to do that (without using a one step ADD for a new SA) I will be very thankfull.

  Sorry for using reply for querying.
  I got a problem in creating a Security Association using the PF_KEY Socket (first used SADB_GETSPI and got SPI,with SPI tried to update SADB_UPDATE).
  Getting this problem on Sun Solaris 8.
  It returns errno 122 . operation not supported.
  Here is my mailId [email protected]
  I got few more queries regarding PF_KEY socket.
  Not much directions are available also for pf_key socket in internet.
  Monitor produces the following error.
  # ipseckey monitor
  "Base message (version 2) type UPDATE, SA type AH.
  Error Operation not supported on transport endpoint from PF_KEY.
  Message length 16 bytes, seq=4294967294, pid=450."
  Here is my mailId [email protected]
  Thanks in Advance.
  ssundar.

• ISA 2006 with IPSEC and NAT - Publishing Outlook Anywhere - TCP Checksum Dropped 0xc0040031 problem

  Hi
  I am looking to publish Outlook Anywhere, with IPSEC configured as per (http://www.microsoft.com/en-us/download/confirmation.aspx?id=23708) to lock down Outlook Anywhere to
  machines with internal certificates only.
  I have the following infrastructure setup:
  ISA 2006 SP1 - Server 2003 R2 / SP2
  -Allows UDP 4500/500 and TCP 443
  -Hosted on VMWare ESXi 5
  Test laptop - Windows 7
  External Firewall static NAT's from a public IP to ISA server and allows the following:
  UDP 4500/500
  Protocol 50/51
  IPSEC policy configured on the ISA server:
  -IP Filter List = DMZ IP of ISA server, source port any, destination port 443
  -Filter Action = Negotiate Security, Integrity Only
  -Authentication Methods = Certifciate Authority, internal enterprise CA selected
  IPSEC policy configured on the Windows 7 Test Laptop:
  -IP Filter List = External (public) IP of ISA server, source port any, destination port 443
  -Filter Action = Negotiate Security, Integrity Only
  -Authentication Methods = Certifciate Authority, internal enterprise CA selected
  So far the following works:
  I have a port listener running on the ISA server to mimic Exchange (just to keep things simple to begin with).
  If I unassign the IPSEC policies, I can telnet from an external network on the test laptop successfully to the external IP of the ISA server. 
  If I assign the IPSEC policies, I cannot telnet from an external network on the test laptop to the external IP of the ISA server.  I note the following:
  -HTTPS is denied with no rule (an allow rule is present)
  -Result Code = 0xc0040031 FWX_E_BAD_TCP_CHECKSUM_DROPPED
  -The ISA log shows IKE Client and IPSEC NAT-T client traffic as successful.
  -The event log shows main mode and quick mode as successful.
  -The IPSEC monitor shows SA's for quick mode and main mode.
  If I google the error code I gather it relates to the TCP checksum being calculated by the ISA server disagreeing with the actual checksum received.  I guess this is part of AH.  I have tried the following:
  -Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the ISA server under services\IPSEC and reboot.
  -Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the Windows 7 Laptop under services\PolicyAgent and reboot.
  -Disable the following in the ISA server registry and reboot:
  RSS
  SecurityFilters
  TCPA
  TCPChimney
  -Disable Chimney Offload via Netsh command
  -Disable all Offload options on VMXNET 3 driver advanced settings and rebooting
  -Switching to an E1000 NIC and disabling all offload options and rebooting
  -Upgrading E1000 drivers from base version (2002 driver) to intels later version (2008), rebooting and disabling all offload options.
  -Run a wireshark trace - cannot see anything useful
  -Checked oackley log  - cannot see anything useful
  I still cannot get the 443 traffic to successfully connect without the FWX_E_BAD_TCP_CHECKSUM_DROPPED error and have run out of google articles.
  I would really appreciate if anyone has any suggestions?
  Many Thanks
  Steven

  Hi,
  Glad to hear that. I'll mark it as answer. Thank you.
  Best Regards,
  Joyce
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Windows Server 2012: SMB share with transparent failover

  Have a nice day to all!
  I have 2 HP Proliant DL380P Gen8 servers containing 8 x 1TB disks (with P420i HP Smart Array RAID Controller) in each server.
  So, there are 2 arrays on every server:
  1. 2 x 1TB in RAID1 (+1 disk for hot swap) - system volume
  2. 5 x 1TB in RAID5 (+1 disk for hot swap) - data volume
  And I installed Windows Server 2012 Standard on each server.
  Than I created a failover two-nodes cluster.
  And now I want to create a SMB share with transparent failover for all the second (data) volume (it's about 3.3TB in RAID5 array). How just can I reach this goal? I'm going to use it in future for Hyper-V VMs, so, the main reqirement is powered-on and working
  VMs even if one node of SMB share cluster is failed.
  I wasn't able to see my volumes in failover cluster manager. I tried to create iSCSI targets, storage pools, virtual disks, etc. but no luck. My failover cluster manager can't see it to create SMB share!
  Can anyone advice me something?
  Thanks in advance!

  Have a nice day to all!
  I have 2 HP Proliant DL380P Gen8 servers containing 8 x 1TB disks (with P420i HP Smart Array RAID Controller) in each server.
  So, there are 2 arrays on every server:
  1. 2 x 1TB in RAID1 (+1 disk for hot swap) - system volume
  2. 5 x 1TB in RAID5 (+1 disk for hot swap) - data volume
  And I installed Windows Server 2012 Standard on each server.
  Than I created a failover two-nodes cluster.
  And now I want to create a SMB share with transparent failover for all the second (data) volume (it's about 3.3TB in RAID5 array). How just can I reach this goal? I'm going to use it in future for Hyper-V VMs, so, the main reqirement is powered-on and working
  VMs even if one node of SMB share cluster is failed.
  I wasn't able to see my volumes in failover cluster manager. I tried to create iSCSI targets, storage pools, virtual disks, etc. but no luck. My failover cluster manager can't see it to create SMB share!
  Can anyone advice me something?
  Thanks in advance!
  You need to have your storage you want to export as being a shared storage visible to your cluster (part of CSV). Then you'll configure failover file shares using content accessible from both cluster nodes. Refer to this manual for diagrams (ignore StarWind
  and replace it logically with your existing shared storage you've used to create your cluster):
  http://www.starwindsoftware.com/configuring-ha-file-server-on-windows-server-2012-for-smb-nas
  Also see these manuals from MS on how to create failover file server:
  http://technet.microsoft.com/en-us/library/cc753969.aspx
  http://technet.microsoft.com/en-us/library/cc731844(v=ws.10).aspx
  http://blogs.technet.com/b/askcore/archive/2010/08/19/working-with-file-shares-in-windows-server-2008-r2-failover-clusters.aspx
  However if you want to use existing storage located on the both nodes you're out of luck. Microsoft does not provide anything representing local DAS to the cluster nodes. If you want to use existing DAS then you'll have to stick with a third-party product
  like StarWind, SteelEye or DataCore. To create something like in this picture:
  So you'll have a configuration with only two nodes, no physical shared hardware (SAS JBOD, FC or iSCSI) and vSAN. Refer to this manual:
  http://www.starwindsoftware.com/ns-configuring-ha-file-server-for-smb-nas
  Hope this helped :)
  StarWind iSCSI SAN & NAS

• Cisco AnyConnect Secure Mobility Client with IPsec

  Hello,
  Current equipment
  ASA 5520
  ASA Version 8.4(6)
  ASDM Version 7.1(3)
  IPsec(IKEv1)
  Cisco VPN Client
  Cisco AnyConnect Secure Mobility Client
  Version 3.1.04072
  I need to configure the vpn client with ipsec using the version of the vpn client what i'm talk.
  The first time I complete all the parameters. I note what file was edit. The file what was edit is this file "preferences.xml"
  c:\users\user\AppData\Local\Cisco\Cisco AnyConnect Secure Mobility Client
  If I edit this file "preference.xml" all setting change but not help me in made a solution.
  The file contains this
  <?xml version="1.0" encoding="UTF-8"?>
  <AnyConnectPreferences>
  <DefaultUser>user</DefaultUser>
  <DefaultSecondUser></DefaultSecondUser>
  <ClientCertificateThumbprint></ClientCertificateThumbprint>
  <ServerCertificateThumbprint></ServerCertificateThumbprint>
  <DefaultHostName>server</DefaultHostName>
  <DefaultHostAddress></DefaultHostAddress>
  <ProxyHost></ProxyHost>
  <ProxyPort></ProxyPort>
  <SDITokenType>none</SDITokenType>
  <ControllablePreferences>
  <LocalLanAccess>false</LocalLanAccess>
  <AutoConnectOnStart>false</AutoConnectOnStart>
  <BlockUntrustedServers>false</BlockUntrustedServers></ControllablePreferences>
  </AnyConnectPreferences>
  What i need to know is the "sentence" or line of configuration what i have to introduce in this file to reference the different ipsec profile. If I am told that I must update the handle or asdm version. I can do it.
  Somebody can help me please

  Here is a link to an example of configuring AnyConnect to use IKEv2. According to this ASA 8.4 and AnyConnect 3.1 should be ok.
  http://www.cisco.com/c/en/us/support/docs/security/anyconnect-secure-mobility-client/113692-ac-ikev2-ca-00.html
  HTH
  Rick

• N7k as redundant core with vpc to 4510/3750 as distribution switch

  Hi - basic question here
  Got 2 qty N7k as redundant core with vpc to 4510 and 3750 as redundand distribution switch running MST. I got stuck with some bad cabling design from our IDF to Datacenter so have 2 access switch whereby each one will have a etherchannel to both distribution 4510 and 3750. My question is this is  a doable design as I am not sure about the vpc upstream on how it effects etherchannel with MST for my distribution and access.
  Thanks

  vPC will be considered as one logical link by both upstream and downstream connected devices
  the question here are you going to run L3 between the distribution and Core devices ? (  this is recommended design ) if yes, then you do not need to worry about MST and VPC if you going to have it L3 from distribution devices up to the Core
  one thing to consider is the distribution switch in your design has big difference in terms of backplane throughput i mean between the 4500 and 3750 !
  if you can have both as 4500 will be better and more consistent design
  Good luck
  if helpful Rate

• Linking devices that use seperate routers with 2 seperate dsl lines.

  Basically at home i have a setup like this using two different dsl lines.
  DSL-Line1 > Wireless Router/Modem1 > laptops/games consoles using it.
  DSL-Line2 > Wired Router/Modem > wired pc's/file server.
  Basically i'm wondering if i replace the wired router/modem with something like a wag320n is there a way to link the two wireless networks together so the games consoles/laptops can get access to the pc's/file servers, but have them still using the seperate dsl lines?,
  ie being able to see each other but still using dsl-line1 internet access for the games consoles etc, and the pc/fileservers using dsl line 2.
  Thanks

  You can connect both routers with an ethernet cable. Example setup:
  Wireless router: LAN IP 192.168.1.1/255.255.255.0. DHCP server enabled for 192.168.1.100-149.
  Wired router: LAN IP 192.168.1.2/255.255.255.0. DHCP server disabled.
  Everything which is supposed to go through the wired router must have a static IP address configured on the device itself. You configure an IP address, e.g. 192.168.1.200, subnet mask 255.255.255.0, gateway 192.168.1.2 and dns 192.168.1.2. Now that computer will use the wired router as internet gateway.
  All devices which still use DHCP to obtain an IP address will connect through the wireless router to the internet.
  Inside your LAN you have full connectivity.

• Redundant installation with 4200 sensors

  Hi
  We are in a process of starting to work on a design with several IPS 4270. The demand is to make the design redundant and with high availability.
  As I am aware of there no redundant support (e.g. no protocol support like HSRP) within the IPS itself but several ways to make a redundant installation. I'm looking for white papers, case studies or design suggestions involving a redundant installation. Could you please guide me where to find such information?
  Thanks
  Johan Kellerman

  Hi,
  See the following white paper:
  "IPS Deployments in Enterprise Data Centers"
  http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5729/ps5713/ps4077/prod_white_paper0900aecd806e724b.html
  Regards,

• Clustering with automatic failover of entity beans? (Provided by any vendors)

  Do any vendors provide for clustering with automatic failover of entity
            beans? I know that WLS does not. How about Gemstone? If not is there
            a reason why it is not possible?
            It seems to me that EJB servers should be capable of automatic failover
            of entity beans.
            dan
            

  Sorry I meant to send this to the ejb newsgroup.
            dan
            dan benanav wrote:
            > Do any vendors provide for clustering with automatic failover of entity
            > beans? I know that WLS does not. How about Gemstone? If not is there
            > a reason why it is not possible?
            >
            > It seems to me that EJB servers should be capable of automatic failover
            > of entity beans.
            >
            > dan
            

• Redundant power with UC560-T1E1-K9

  Good morning,
  Is there any way of having redundant power with UC560-T1E1-K9 (redundant internal power, RPS, UPS, etc..)?
  Thank you very much
  Best Regards
  João Mendes

  Hello,
  In order to use Meet-Me conferencing, you have two options.
  1.  Conferences have to be "initiated" by an internal phone.
       a) To initiate conference, pickup an internal phone handset, hit "more" button on phone menu, hit "MeetMe" option.  Then dial meet-me extension (770).  Now that the conference has been initiated, other phones can just dial the 770 extension to join the conference.
  2.  Select "Enable Meet-me Unlocked" on the CCA page for the conference configuration.
       a) To initiate a conference, just dial the conference extension (770).  Users can join by dialing 770 also.
  Thank you,
  Darren

• How do I correct the problem of two routers with the same OSPF Router IDs?

  How do I correct the problem of two routers with the same OSPF Router IDs?

  Hi,
  The answer above is correct, though you don't really need to reload, you can just simply clear the OSPF process with the following command:
  clear ip ospf 1 process
  HTH

• Need to add a new segment on a live ASA5520 with a failover setup running

  Hi ,
  how do I add a new segment on my ASA5520 that is currently on a lan based active/standby failover. ?
  Will it trigger the failover if I add another interface and will be just as simple as unshutting a normal interface and adding an IP with the same configuration as the other interfaces for failover .
  all of my existing segment has a redundant switch and for the new segment that I will be creating is just a straight forward with only 1 switch on the segment.
  fw-inside-1# show run int
  interface GigabitEthernet0/0
  description OUTSIDE Interface_1
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/1
  description APPS Interface_1
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/2
  description DB Interface_1
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  description LAN/STATE Failover Interface
  interface Management0/0
  shutdown
  nameif management
  security-level 100
  no ip address
  management-only
  interface GigabitEthernet1/0
  description OUTSIDE Interface_2
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet1/1
  description APPS Interface_2
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet1/2
  description DB Interface_2
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet1/3           <<<<<<<<<<<<<<<<<< I will use this interface for the new segment.
  shutdown
  no nameif
  no security-level
  no ip address
  interface Redundant1
  member-interface GigabitEthernet0/0
  member-interface GigabitEthernet1/0
  nameif outside
  security-level 0
  ip address 10.50.5.10 255.255.255.0 standby 10.50.5.11
  interface Redundant2
  member-interface GigabitEthernet0/1
  member-interface GigabitEthernet1/1
  nameif apps
  security-level 80
  ip address 172.16.1.1 255.255.255.0 standby 172.16.1.2
  interface Redundant3
  member-interface GigabitEthernet0/2
  member-interface GigabitEthernet1/2
  nameif db
  security-level 90
  ip address 172.16.4.1 255.255.255.0 standby 172.16.4.2
  fw-inside-1#
  fw-inside-1# show run fail
  failover
  failover lan unit primary
  failover lan interface Failover GigabitEthernet0/3
  failover polltime unit 5 holdtime 15
  failover link Failover GigabitEthernet0/3
  failover interface ip Failover 10.0.0.1 255.255.255.252
  fw-inside-1#
  Since I will not be having a redundant switch on the new segment I will use the below config
  interface GigabitEthernet1/3    
    no shut
    nameif
    security-level 75
    ip address 172.16.3.1 255.255.255.0 standby 172.16.3.2
  Then I will connect cables..
  Please let me know if you have any suggestions or links.
  Regards

  You should first configure your interface, then cable both units and after that no shut it on the ASA. Additionally you can remove your new interface from failover-monitoring as a precaution if somerhing goes wrong.
  Sent from Cisco Technical Support iPad App

• Issues with IPSEC on active standby ASA 5545-X

  We have two 500 meg layer 2 links with ethernet presentation. Each end of these links connected to the outside interface of an ASA firewall in active standby. So four firewalls total. 
  When I configure an IPsec between them and failover one end, the tunnel fails over correctly. When I failover back to the primary, it stalls until manually cleare in the ASDM or cli. 
  I dont really understand why it works at all rather than just the first time so would appreciate some assistance. Is some sort of tracking required? I've attached a diagram which I hope helps.
  Running asa912-smp-k8.bin and asdm-713.bin

  GurjitSra
  Correct. In order to reload IPS without triggering failover you'll need to remove IPS inspection from policy-maps so that failover will not track IPS status.
  Johan.