Cisco VPN :: HSRP IPSec Stateful Failover On 2800 Platform
Mar 26, 2012
I have 2 C2811 ISRs runnning c2800nm-advsecurityk9-mz.124-15.T17.bin and having on board: 1 Virtual Private Network (VPN) Module.is it possible to enable IPSec stateful failover (or switchover, SSO) between these boxes? I get different infos from Cisco sources. url...All commands were accepted, but failover doesn't seem to be statefull (I loose connection for few seconds and VPNs are reestabilishing)
We have purchased a couple of Cisco 891 routers - both are running IOS 15.0(1) M5 licensed with advanced IP services (default). The literature for these devices on Cisco's website claims they support IPsec stateful failover on advanced IP services.
Our intention is to configure them with HSRP and IPsec stateful failover to provide a highly-available default gateway and VPN end-point.
I have configured HSRP and that seems to work fine. My problem is that I cannot configure IPsec stateful failover. The documentation that I have found implies that I need to configure inter-device redundancy on a particular HSRP group and use the physical IP addresses on the interfaces within that group to allow stateful failover communication between the routers however the routers do not recognise the 'redundancy' command in config mode...
I got the error in object when I try to add a new HSRP group in new vlan.All the HSRP group has the same HSRP group the 2.another way to provide clients's default gateway redundancy for each Vlan intead to use the HSRP?
Below is a basic image of the HSRP and backup link setup for our LAN.
The virtual IP 192.168.178.50 resides on the primary router and fails over to the backup router. Internal default gateways for the switches are set to 178.50.
Switch1 is Layer3 and has two static default routes configured as:
ip route 0.0.0.0 0.0.0.0 192.168.179.50 track 1 - - - (interface line-protocol track) ip route 0.0.0.0 0.0.0.0 192.168.178.50 2
And the primary router has a static route out 179.50 which tracks the interface (route goes down if interface is down), and a backup static route.
ip route (internal LAN) Gi0/1 track 1 - - - (interface line-protocol track) ip route (internal LAN) Gi0/2 2
Everything works fine. If the primary router fails, Switch1 tears down the route across Vlan179, HSRP fails over the IP to the backup router and routing continues as normal. If the link across Vlan179 fails, the routers tear down the primary routes and again, things continue as normal.
The problem comes when the primary WAN link fails but the router remains up. This means the default route is still across Vlan179. Normally, Id set an IP SLA on Switch1 to track the WAN link BUT Switch1 only has the BASE IOS and the company wont pay for the Advanced IP IOS so I dont have IP SLA as an option.
How can I get the static default route to failover in the event that only the primary WAN link goes down?
Turned up a new colo service last week using some PIX 515E firewalls and two Cat 2950 series switches. I have attached a diagram of the layout which I have used elsewhere with good success. Basically I have two switches connected together via port channel (2 ports). The colo facility gives me two HSRP enabled links, of which I plug one into switch A and the other in switch B. The PIxes are a failover pair with the primary plugged into the same switch A as the primary HSRP link.The backup PIX is plugged into the backup switch where the backup HSRP link is. When I unplug the primary HSRP link the PIX can ping the HSRP gateway still, but nothing beyond that. Nothing gets it to work until I plug the link back in.
The only thing I could see that might cause an issue is the 'ip verify reverse-path' command on the PIXes. But even the switches cannot ping out beyond the HSRP gateway. Just seems like all inbound routing stops. I am not sure what the colo facility has going on their side but it seems like they are using just some Cisco 6509s and doing HSRP between them. Seems pretty simple but so far this is proving un-usable as is.
The PIX BTW just uses a default route to the HSRP gateway.
I have two Cisco ASA 5510s that I would like to configure in an active passive failover setup. The ASAs are at the top of our rack and handle all our routing. We have been only using one ASA unit with one line from our ISP connected to the WAN/outside interface of the ASA. We recently had our ISP setup two lines into our rack using HSRP. I do not know what equipment they are running upstream of our ASAs but it is HSRP so it should be a set of Cisco routers/switches. Originally I thought I could just connect the 2nd new line to our 2nd ASAs WAN/outside port and setup failover using a crossover cable between the ASAs. After doing this config I had problems accessing some of our IPs in the subnet that the HSRP is part of. If I disconnected the 2nd ASAs WAN/outside line everything was fine. After talking with my ISP they explained that I need to connect both of my lines into our L2 network and then from there into the ASAs. Currently below the ASAs I have two Catalyst 3560-X switches. They are connected together with an ISL trunk and ASA-1s inside network connects to switch-1 and ASA-2 to switch-2. One idea was to connect each of the HSRP lines to each of my current switches and then from the switches to the ASA's WAN/outside interface. Finally back down from the ASA's to the switches via the inside interface that we have currently. This kind of seems messy and a poor choice. The other idea is to get two switches that would sit above the ASAs and connect the HSRP lines to them with the switches connected together. They would then connect to the ASAs. I like this idea better but I don't like having to buy two more full switches for this. These switches would only use a couple of ports and only handle just the HSRP ISP lines to the ASAs. Putting in two more 3560-Xs would be a big waste of money and space for this. So I was thinking of using two Cisco SG200-08, 8 port gigabit basic managed switches for this.
I currently have 2 WAN links, a 20MB Ethernet BGP MPLS and a bonded T1. I have a 2800 at each end configured to automatically fail over to the T1 in the event that the MPLS goes gown. I put a high AD on the T1 connection with static routes. If the MPLS goes down the T1 does kick in, however users are dropped from their applications and VOIP calls are disconnected.
I was looking into Fat Pipe appliances and they supposidly will fail over a connection without any packet loss - therefore not dropping a VOIP call or kicking anyone off the database application. In addition they will provide aggregated bandwidth.
Is there any way to achieve a similar failover without packet loss with just the routers? Do I really need to purchase the Fat Pipe to achieve this? Are there any alternatives?
I have a 2800 router connecting a small office to the Internet. I am using zone-based firewall to provide protection. The small office also needs to connect to another office. The 2800 is at the small office and an ASA at HQ. I successfully established the VPN connection and have allowed Internet access for the small office. The purpose of this post is my zone-base fw policy doesn't appear to be as secure as it could be.
2800 - I have defined two zones (inside and outside). Traffic from the inside to the outside is inspected expect for the traffic to the other office. I allow traffic to the other office to "pass" zbfw. Because the traffic "passes" zbfw, I have to "pass" the same traffic for the outside to in policy. The ASA has "sysopt" to allow VPN traffic to bypass the outside_acl. Do routers and zone-based firewall have a similar feature?
We have two Cisco 3560E layer 3 switches at the core of our network. The switches are configured as an HSRP pair and the clients on our network point to the HSRP address as their default gateway. So if CORE-A dies, then CORE-B will pick up the address and the default route for the clients will continue to be available.We also need to specify a few static routes on the core switch to allow us to get to specific networks. Is there a way to do this so that the routes failover in the same way that the default gateway does?
We try to migrate two ASA stateful Active / Passive from version 8.0 to 8.4 but many of acl rules and Nat no longer working. We must go through the version 8.2? The release 8.4 changes everything and seems to me not too stable, it'sl best to stay in 8.2 or 8.3 !!!
We are looking to deploy ISE supporting 5000 devices and would like to use the Cisco UCS platform to host this. Looking at the spec required a C22 M3 would be sufficient; however we would also like to host some UC applications on the same server if resources allow.
Therefore we would like to deploy ISE on a C220 M3 server and connect the associated NIC to a DMZ. We would then like to deploy UC applications such as CUCM and CUPS on the same UCS server with a NIC attached to the internal network.
Also while the UC application would require a UC Foundation License (R-VMW-UC-FND5-K9) whould this also meet the requirements for ISE?
I am doing a school research project in which I am setting up an OC-192 ring for a company (contract work through AT&T). I have chosen to use the Cisco ONS 15454 SONET MSPP as my platform. The company currently has locations in Chicago and Philadelphia and connects them through an OC-12C ATM connection and they are looking to add 2 gigabit ethernet connections.My question is what cards and parts will I need for the Cisco ONS 15454 SONET MSPP, and how much will everything cost? I have been searching the internet for components and prices and I have found it extremely difficult to find any information.
I currently have a 50Mbps Internet Connection provided by an ethernet handoff for hosting some webservers. We are looking at adding an additional 10Mbps Internetn connection and route BGP between the two. For the 50Mbps connection, i'm using a Cisco 2951 router. I also have another 2951 router to terminate the 10Mbps connection. Does these router have enough horsepower to fully route BGP?
I want to select catalyst 3560G for my network. But IOS SLB need to be implemented in my network. I only know catalyst 6500 series can support this feature and i am not sure whether 3560G can support this feature. what platform and IOS version i need to implement IOS SLB?
A make one BOM and i just ask my self can we order on the one platform ( for example 5510-SEC-BUN-K9 ) SSL Essentials license ( this license is on the platform by default we buy 250 users ) and i need 50 Users license from them to be Premium.
Can i buy those two license on the same platform and is this will work ?
During WAN troubleshooting, I did a "clear interface ser0/0/0" on a branch router. It has two WAN links. I lost ssh/telnet connectivity but both WAN links were still replying to pings. We did a manual power off of the router to regain connectivity.Is there a known issue with this command on this IOS version? We're using Cisco 2911 platform with IOS 15.1-1.T2 version.
I am trying to bridge the traffic(including different vlan traffic) from rtrA to rtrB using "bridge-group" functionality.I achived the same using a 7200 using the below configuration. [code] When I tried the same using 7600 router ping failed between rtrA and rtrB. Then from the documents it seems "bridge irb" is not supported in 7600.Is there any other way we can achieve the same fuctionality ( eg: using switchport also fine) ?
I've been experiencing a problem with my existing 3845's that may mean I may have to upgrade to a newer faster platform.Currently I have ISP links to 2 providers and run BGP. Each ISP link plugs into a separate 3845 NM-1GE fiber port. Both links are 100Mb ethernet handoff. There is an average of 50 - 60Mbps traversing each link during peak times. I am experiencing a large number of Input errors on both ISP links almost all of the errors are ignored. I opened a TAC case and I'm told that the 3845 can not handle this much traffic along with an ACL on the ISP interface and BGP. TAC engineer tells me that the RX ring of the interface is being overrun and tuning buffers will not make any difference. CPU util never goes above 25%.
You all know the senario; A managed device, let's say a c2801 router is being replaced with newer platform, let's say a c3900e series router. Might aswell be a C2960 being replace by a c3750x
I the goodolddays, with LMS3.2.1, you would get the "conflicting device" notice that the SNMP OID has changed on this managed device. you then need to press update and the device would then be managed once more.
How is tyhis done in LMS 4.2.2 ?
I seem to see more and more device in one of my installation, that DCR sees teh new OID and updates, but Inventory fails ... I get more of this, and the error is just; Internalt error in the job-browser .
I see Device Center info is wrong, but DCR info is right ..
What to do, and how do LMS handle this ? Can I get notice around when a device has been changed ?
I´m looking for an IOS on a 7609 SUP720/MSF3 that supports the NAT-PT feature (IPv4 to IPv6 translation). I searched on the Cisco Feature Navigator but the tool didn´t show up any IOS for the 760x platforms. I only got the feature "NAT-PT: Support for Overload (PAT)" with IOS 15.xS train.
3750 Stack (Voice gateway for phones configured on the 3750 and has a VPC nexus) + + + + + + (Nexus5596) ++++++++++ (Nexus5596) (Gateway for all other vlan like PC / servers / etc) + + + + + + 3750x access layer (VPC to Nexus) [CODE].....