Downloads |
Table Of Contents
Prerequisites for Stateful Failover for IPSec
Restrictions for Stateful Failover for IPSec
Information About Stateful Failover for IPSec
Supported Deployment Scenarios: Stateful Failover for IPSec
IPSec Stateful Failover for Remote Access Connections
How to Use Stateful Failover for IPSec
Enabling HSRP: IP Redundancy and a Virtual IP Address
Prerequisites for Spanning Tree Protocol and HSRP Stability
SSO: Interacting with IPSec and IKE
Configuring Reverse Route Injection on a Crypto Map
Configuring RRI on Dynamic Crypto Map
Configuring RRI on a Static Crypto Map
Enabling Stateful Failover for IKE and IPSec
Enabling Stateful Failover for IKE
Enabling Stateful Failover for IPSec
Enabling Stateful Failover for Tunnel Protection
Managing and Verifying High Availability Information
Managing Anti-Replay Intervals
Managing and Verifying HA Configurations
Configuration Examples for Stateful Failover
Configuring IPSec Stateful Failover: Example
Configuring IPSec Stateful Failover for an Easy VPN Server: Example
crypto map redundancy replay-interval
local-ip (IPC transport-SCTP local)
remote-ip (IPC transport-SCTP remote)
Stateful Failover for IPSec
Stateful failover for IP Security (IPSec) enables a router to continue processing and forwarding IPSec packets after a planned or unplanned outage occurs. Customers employ a backup (secondary) router that automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason. This process is transparent to the user and does not require adjustment or reconfiguration of any remote peer.
Stateful failover for IPSec is designed to work in conjunction with stateful switchover (SSO) and Hot Standby Routing Protocol (HSRP). HSRP provides network redundancy for IP networks, ensuring that user traffic immediately and transparently recovers from failures in network edge devices or access circuits. That is, HSRP monitors both the inside and outside interfaces so that if either interface goes down, the whole router is deemed to be down and ownership of Internet Key Exchange (IKE) and IPSec security associations (SAs) is passed to the standby router (which transitions to the HSRP active state). SSO allows the active and standby routers to share IKE and IPSec state information so that each router has enough information to become the active router at any time. To configure stateful failover for IPSec, a network administrator should enable HSRP, assign a virtual IP address, and enable the SSO protocol.
Feature History for Stateful Failover for IPSec
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.
Contents
•
Prerequisites for Stateful Failover for IPSec
•
•
•
•
Prerequisites for Stateful Failover for IPSec
Complete, Duplicate IPSec and IKE Configuration on the Active and Standby Devices
This document assumes that you have a complete IKE and IPSec configuration. (This document describes only how to add stateful failover to a working IPSec configuration.)
The IKE and IPSec configuration that is set up on the active device must be duplicated on the standby device. That is, the crypto configuration must be identical with respect to Internet Security Association and Key Management Protocol (ISAKMP) policy, ISAKMP keys (preshared), IPSec profiles, IPSec transform sets, all crypto map sets that are used for stateful failover, all access control lists (ACLs) that are used in match address statements on the crypto map sets, all AAA configurations used for crypto, client configuration groups, ip local pools used for crypto, and ISAKMP profiles.
Note
Device Requirements
•
•
Restrictions for Stateful Failover for IPSec
When configuring redundancy for a virtual private network (VPN), the following restrictions exist:
•
•
•
•
•
•
•
•
•
•
Information About Stateful Failover for IPSec
To configure stateful failover for VPNs, you should understand the following concepts:
•
•
Supported Deployment Scenarios: Stateful Failover for IPSec
It is recommended that you implement IPSec stateful failover in one of the following recommended deployment scenarios—a single interface scenario or a dual interface scenario.
In a single interface scenario, the VPN gateways use one LAN connection for both encrypted traffic arriving from remote peers and decrypted traffic flowing to inside hosts (see Figure 1). The single interface design allows customers to save money on router ports and subnets. This design is typically used if all traffic flowing in and out of the organization does not traverse the VPN routers.
Figure 1 Single Interface Network Topology
In a dual interface scenario, a VPN gateway has more than one interface, enabling traffic to flow in and out of the router via separate interfaces (see Figure 2). This scenario is typically used if traffic flowing in and out of a site must traverse the routers, so the VPN routers will provide the default route out of the network.Figure 2 Dual Interface Network Topology
Table 1 lists the functionality available in both a single interface scenario and a dual interfaces scenario.
IPSec Stateful Failover for Remote Access Connections
The main difference between a remote access and a LAN-to-LAN connection is the use of Xauth and mode-config. IKE Xauth is often used to authenticate the user. IKE mode-config is often used to push security policy from the hub (concentrator) router to the user's IPSec implementation. Mode-config is also typically used to assign an internal company network IP address to a user.
In addition to the differences between a remote access configuration and a LAN-to-LAN configuration, you should note the following remote-access-server-specific functions:
•
–
–
To enable accounting on the HA pair, you should issue the following commands on both Active and Standby devices: aaa accounting network radius-accounting start-stop group radius then apply radius-accounting either to the crypto isakmp profile or the crypto map set.
•
For additional information on how to configure IPSec stateful failover for a remote access connection, see the section "Configuring IPSec Stateful Failover for an Easy VPN Server: Example" in this document.
How to Use Stateful Failover for IPSec
This section contains the following the procedures:
•
•
•
•
•
•
Enabling HSRP: IP Redundancy and a Virtual IP Address
HSRP provides two services—IP redundancy and a VIP address. Each HSRP group may provide either or both of these services. IPSec stateful failover uses the IP redundancy services from only one HSRP standby group. It can use the VIP address from one or more HSRP groups. Use the following task to configure HSRP on the outside and inside interfaces of the router.
Note
Prerequisites for Spanning Tree Protocol and HSRP Stability
If a switch connects the active and standby routers, you must perform one of the following steps to ensure that the correct settings are configured on that switch:
•
•
•
For more information on HSRP instability, see the document Avoiding HSRP Instability in a Switching Environment with Various Router Platforms.
Note
Restrictions
•
•
•
•
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
DETAILED STEPS
Troubleshooting Tips
To help troubleshoot possible HSRP-related configuration problems, issue any of the following HSRP-related debug commands—debug standby errors, debug standby events, and debug standby packets [terse].
Examples
The following example shows how to configure HSRP on a router:
interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 namestandby 1 track Ethernet1/0standby delay reload 120What to Do Next
After you have successfully configured HSRP on both the inside and outside interfaces, you should enable SSO as described the in the section "Enabling SSO."
Enabling SSO
Use this task to enable SSO, which is used to transfer IKE and IPSec state information between two routers.
SSO: Interacting with IPSec and IKE
SSO is a method of providing redundancy and synchronization for many Cisco IOS applications and features. SSO is necessary for IPSec and IKE to learn about the redundancy state of the network and to synchronize their internal application state with their redundant peers.
Prerequisites
•
•
–
–
–
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
DETAILED STEPS
Troubleshooting Tips
To help troubleshoot possible SSO-related configuration problems, issue the debug redundancy command.
Examples
The following example shows how to enable SSO:
!redundancy inter-devicescheme standby HA-out!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1retransmit-timeout 300 10000path-retransmit 10assoc-retransmit 10remote-port 5000remote-ip 10.0.0.2!What to Do Next
After you have enabled SSO, you should configure reverse route injection (RRI) on a crypto map as shown in the following section.
Configuring Reverse Route Injection on a Crypto Map
You should configure RRI on all existing crypto maps that you want to use with stateful failover. RRI is used with stateful failover so routers on the inside network can learn about the correct path to the current active device. When failover occurs, the new active device injects the RRI routes into its IP routing table and sends out routing updates to its routing peers.
Use one of the following tasks to configure RRI on a dynamic or static crypto map.
•
•
Configuring RRI on Dynamic Crypto Map
Dynamic crypto map entries, like regular static crypto map entries, are grouped into sets. A set is a group of dynamic crypto map entries all with the same dynamic map name but each with a different dynamic sequence number. Each member of the set may be configured for RRI.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Configuring RRI on a Static Crypto Map
Static crypto map entries are grouped into sets. A set is a group of static crypto map entries all with the same static map name but each with a different sequence number. Each static crypto map in the map set can be configured for RRI. Use this task to configure RRI on a static crypto map.
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Examples
The following example shows how to configure RRI on the static crypto map "to-peer-outside":
crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outsidereverse-routeWhat to Do Next
After you have configured RRI, you can enable stateful failover for IPSec and IKE.
Enabling Stateful Failover for IKE and IPSec
Use the following tasks to configure stateful failover for IPSec, IKE, and tunnel protection:
•
•
•
Enabling Stateful Failover for IKE
There is no specific command-line interface (CLI) necessary to enable stateful failover for IKE. It is enabled for a particular VIP address when a stateful failover crypto map is applied to an interface.
Enabling Stateful Failover for IPSec
Use this task to enable stateful failover for IPSec. All IPSec state information is transferred from the active router to the standby router via the SSO redundancy channel that was specified in the task "Enabling SSO."
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Troubleshooting Tips
To help troubleshoot possible IPSec HA-related problems, issue the debug crypto ipsec ha [detail] [update] command.
Examples
The following example shows how to configure IPSec stateful failover on the crypto map "to-peer-outside":
interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0crypto map to-peer-outside redundancy HA-out statefulEnabling Stateful Failover for Tunnel Protection
Use an existing IPSec profile to configure stateful failover for tunnels using IPSec. (You do not configure the tunnel interface as you would with a crypto map configuration.)
Restrictions
The tunnel source address must be a VIP address, and it must not be an interface name.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
DETAILED STEPS
Examples
The following example shows how to configure stateful failover for tunnel protection:
crypto ipsec profile peer-profileredundancy HA-out statefulinterface Tunnel1ip unnumbered Loopback0tunnel source 209.165.201.3tunnel destination 10.0.0.5tunnel protection ipsec profile peer-profile!interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 name HA-outWhat to Do Next
After you have configured stateful failover, you can use the CLI to protect, verify, and manage your configurations. For more information on completing these tasks, see the sections "Protecting SSO Traffic" and "Managing and Verifying High Availability Information."
Protecting SSO Traffic
Use this task to secure a redundancy group via an IPSec profile. To configure SSO traffic protection, the active and standby devices must be directly connected to each other via Ethernet networks.
The crypto maps that are automatically generated when protecting SSO traffic are applied to each interface, which corresponds to an IP address that was specified via the local-ip command. Traffic that is destined for an IP address that was specified via the remote-ip command is forced out of the crypto-map-configured interface via an automatically created static host route.
Note
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
The following example shows how to configure SSO traffic protection:
crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth!crypto ipsec transform-set trans2 ah-md5-hmac esp-aes!crypto ipsec profile sso-secureset transform-set trans2!redundancy inter-devicescheme standby HA-outsecurity ipsec sso-secureManaging and Verifying High Availability Information
Use any of the following optional tasks to secure and manage your high availability configurations:
•
•
Managing Anti-Replay Intervals
Use this optional task to modify the interval in which an IP redundancy-enabled crypto map forwards anti-replay updates from the active router to the standby router.
SUMMARY STEPS
1.
2.
3.
DETAILED STEPS
Examples
The following example shows how to modify replay counter intervals between the active and standby devices on the crypto map "to-peer-outside":
crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outsideManaging and Verifying HA Configurations
Use any of the steps within this optional task to display and verify the high availability configurations.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
DETAILED STEPS
Examples
Verifying the Active Device:Examples
Router# show redundancy statesmy state = 13 -ACTIVEpeer state = 8 -STANDBY HOTMode = DuplexUnit ID = 0Split Mode = DisabledManual Swact = EnabledCommunications = Upclient count = 7client_notification_TMR = 30000 millisecondskeep_alive TMR = 4000 millisecondskeep_alive count = 0keep_alive threshold = 7RF debug mask = 0x0Router# show crypto isakmp sa activedst src state conn-id slot status209.165.201.3 209.165.200.225 QM_IDLE 5 0 ACTIVERouter# show crypto ipsec sa activeinterface:Ethernet0/0Crypto map tag:to-peer-outside, local addr 209.165.201.3protected vrf:(none)local ident (addr/mask/prot/port):(192.168.0.1/255.255.255.255/0/0)remote ident (addr/mask/prot/port):(172.16.0.1/255.255.255.255/0/0)current_peer 209.165.200.225 port 500PERMIT, flags={origin_is_acl,}#pkts encaps:3, #pkts encrypt:3, #pkts digest:3#pkts decaps:4, #pkts decrypt:4, #pkts verify:4#pkts compressed:0, #pkts decompressed:0#pkts not compressed:0, #pkts compr. failed:0#pkts not decompressed:0, #pkts decompress failed:0#send errors 0, #recv errors 0local crypto endpt.:209.165.201.3, remote crypto endpt.:209.165.200.225path mtu 1500, media mtu 1500current outbound spi:0xD42904F0(3559458032)inbound esp sas:spi:0xD3E9ABD0(3555306448)transform:esp-3des ,in use settings ={Tunnel, }conn id:2006, flow_id:6, crypto map:to-peer-outsidesa timing:remaining key lifetime (k/sec):(4586265/3542)HA last key lifetime sent(k):(4586267)ike_cookies:9263635C CA4B4E99 C14E908E 8EE2D79CIV size:8 bytesreplay detection support:YStatus:ACTIVEinbound ah sas:spi: 0xF3EE3620(4092474912)transform: ah-md5-hmac ,in use settings ={Tunnel, }conn id: 2006, flow_id: 6, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4586265/3542)HA last key lifetime sent(k): (4586267)ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79Creplay detection support: YStatus: ACTIVEinbound pcp sas:outbound esp sas:spi: 0xD42904F0(3559458032)transform: esp-3des ,in use settings ={Tunnel, }conn id: 2009, flow_id: 9, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4586266/3542)HA last key lifetime sent(k): (4586267)ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79CIV size: 8 bytesreplay detection support: YStatus: ACTIVEoutbound ah sas:spi: 0x75251086(1965363334)transform: ah-md5-hmac ,in use settings ={Tunnel, }conn id: 2009, flow_id: 9, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4586266/3542)HA last key lifetime sent(k): (4586267)ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79Creplay detection support: YStatus: ACTIVEoutbound pcp sas:
Router# show crypto session activeCrypto session current statusInterface: Ethernet0/0Session status: UP-ACTIVEPeer: 209.165.200.225 port 500IKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 ActiveIKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 ActiveIPSEC FLOW: permit ip host 192.168.0.1 host 172.16.0.1Active SAs: 4, origin: crypto mapRouter# show crypto haIKE VIP: 209.165.201.3stamp: 74 BA 70 27 9C 4F 7F 81 3A 70 13 C9 65 22 E7 76IPSec VIP: 209.165.201.3IPSec VIP: 255.255.255.253IPSec VIP: 255.255.255.254Verifying the Standby Device: Examples
Router# show redundancy statesmy state = 8 -STANDBY HOTpeer state = 13 -ACTIVEMode = DuplexUnit ID = 0Split Mode = DisabledManual Swact = EnabledCommunications = Upclient count = 7client_notification_TMR = 30000 millisecondskeep_alive TMR = 4000 millisecondskeep_alive count = 1keep_alive threshold = 7RF debug mask = 0x0Router# show crypto isakmp sa standbydst src state conn-id slot status209.165.201.3 209.165.200.225 QM_IDLE 5 0 STDBYRouter# show crypto ipsec sa standbyinterface:Ethernet0/0Crypto map tag:to-peer-outside, local addr 209.165.201.3protected vrf:(none)local ident (addr/mask/prot/port):(192.168.0.1/255.255.255.255/0/0)remote ident (addr/mask/prot/port):(172.16.0.1/255.255.255.255/0/0)current_peer 209.165.200.225 port 500PERMIT, flags={origin_is_acl,}#pkts encaps:0, #pkts encrypt:0, #pkts digest:0#pkts decaps:0, #pkts decrypt:0, #pkts verify:0#pkts compressed:0, #pkts decompressed:0#pkts not compressed:0, #pkts compr. failed:0#pkts not decompressed:0, #pkts decompress failed:0#send errors 0, #recv errors 0local crypto endpt.:209.165.201.3, remote crypto endpt.:209.165.200.225path mtu 1500, media mtu 1500current outbound spi:0xD42904F0(3559458032)inbound esp sas:spi:0xD3E9ABD0(3555306448)transform:esp-3des ,in use settings ={Tunnel, }conn id:2012, flow_id:12, crypto map:to-peer-outsidesa timing:remaining key lifetime (k/sec):(4441561/3486)HA last key lifetime sent(k):(4441561)ike_cookies:00000000 00000000 00000000 00000000IV size:8 bytesreplay detection support:YStatus:STANDBYinbound ah sas:spi:0xF3EE3620(4092474912)transform:ah-md5-hmac ,in use settings ={Tunnel, }conn id:2012, flow_id:12, crypto map:to-peer-outsidesa timing:remaining key lifetime (k/sec):(4441561/3486)HA last key lifetime sent(k):(4441561)ike_cookies:00000000 00000000 00000000 00000000replay detection support:YStatus:STANDBYinbound pcp sas:outbound esp sas:spi:0xD42904F0(3559458032)transform:esp-3des ,in use settings ={Tunnel, }conn id:2011, flow_id:11, crypto map:to-peer-outsidesa timing:remaining key lifetime (k/sec):(4441561/3485)HA last key lifetime sent(k):(4441561)ike_cookies:00000000 00000000 00000000 00000000IV size:8 bytesreplay detection support:YStatus:STANDBYoutbound ah sas:spi:0x75251086(1965363334)transform:ah-md5-hmac ,in use settings ={Tunnel, }conn id:2011, flow_id:11, crypto map:to-peer-outsidesa timing:remaining key lifetime (k/sec):(4441561/3485)HA last key lifetime sent(k):(4441561)ike_cookies:00000000 00000000 00000000 00000000replay detection support:YStatus:STANDBYoutbound pcp sas:Router# show crypto session standbyCrypto session current statusInterface:Ethernet0/0Session status:UP-STANDBYPeer:209.165.200.225 port 500IKE SA:local 209.165.201.3/500 remote 209.165.200.225/500 ActiveIPSEC FLOW:permit ip host 192.168.0.1 host 172.16.0.1Active SAs:4, origin:crypto mapRouter# show crypto haIKE VIP:209.165.201.3stamp:74 BA 70 27 9C 4F 7F 81 3A 70 13 C9 65 22 E7 76IPSec VIP:209.165.201.3IPSec VIP:255.255.255.253IPSec VIP:255.255.255.254ha-R2#Verifying the Active and Standby SAs: Example
The following sample output shows SAs of both the active and standby devices:
Router# show crypto isakmp sadst src state conn-id slot status209.165.201.3 209.165.200.225 QM_IDLE 2 0 STDBY10.0.0.1 10.0.0.2 QM_IDLE 1 0 ACTIVEConfiguration Examples for Stateful Failover
This section contains the following comprehensive IPSec stateful failover configuration examples:
•
•
Configuring IPSec Stateful Failover: Example
Figure 3 and the following sample outputs from the show running-config command illustrate how to configure stateful failover on two devices—Ha-R1 and Ha-R2.
Figure 3 IPSec Stateful Failover Sample Topology
Stateful Failover Configuration on Ha-R1
Ha-R1#show running-configBuilding configuration...Current configuration :2086 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname ha-R1!boot-start-markerboot-end-marker!!redundancy inter-devicescheme standby HA-outsecurity ipsec sso-secure!logging buffered 10000000 debugginglogging rate-limit console 10000!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1remote-port 5000remote-ip 10.0.0.2!clock timezone PST 0no aaa new-modelip subnet-zero!crypto isakmp policy 1authentication pre-sharecrypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth!!crypto ipsec transform-set trans1 ah-md5-hmac esp-3descrypto ipsec transform-set trans2 ah-md5-hmac esp-aes!crypto ipsec profile sso-secureset transform-set trans2!!crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outside!!!interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0standby delay reload 120crypto map to-peer-outside redundancy HA-out stateful!interface Ethernet1/0ip address 10.0.0.1 255.255.255.0standby 2 ip 10.0.0.3standby 2 preemptstandby 2 name HA-outstandby delay reload 120standby 2 track Ethernet0/0!interface Serial2/0no ip addressshutdownserial restart-delay 0!interface Serial3/0no ip addressshutdownserial restart-delay 0!ip classlessip route 0.0.0.0 0.0.0.0 209.165.201.5ip route 192.168.0.0 255.255.0.0no ip http serverno ip http secure-server!!!ip access-list extended peer-outsidepermit ip host 192.168.0.1 host 172.16.0.1!!control-plane!!line con 0exec-timeout 0 0transport preferred alltransport output allline aux 0transport preferred alltransport output allline vty 0 4logintransport preferred alltransport input alltransport output all!endStateful Failover Configuration on Ha-R2
Ha-R2#show running-configBuilding configuration...Current configuration :2100 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname ha-R2!boot-start-markerboot-end-marker!!redundancy inter-devicescheme standby HA-outsecurity ipsec sso-secure!logging buffered 10000000 debugginglogging rate-limit console 10000!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.2remote-port 5000remote-ip 10.0.0.1!clock timezone PST 0no aaa new-modelip subnet-zero!!crypto isakmp policy 1authentication pre-sharelifetime 120crypto isakmp key cisco123 address 0.0.0.0 0.0.0.0 no-xauth!!crypto ipsec transform-set trans1 ah-md5-hmac esp-3descrypto ipsec transform-set trans2 ah-md5-hmac esp-aes!crypto ipsec profile sso-secureset transform-set trans2!!crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outside!!!interface Ethernet0/0ip address 209.165.201.2 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0standby delay reload 120crypto map to-peer-outside redundancy HA-out stateful!interface Ethernet1/0ip address 10.0.0.2 255.255.255.0standby 2 ip 10.0.0.3standby 2 preemptstandby 2 name HA-outstandby delay reload 120standby 2 track Ethernet0/0!interface Serial2/0no ip addressshutdownserial restart-delay 0!interface Serial3/0no ip addressshutdownserial restart-delay 0!ip classlessip route 0.0.0.0 0.0.0.0 209.165.201.5ip route 192.168.0.0 255.255.0.0no ip http serverno ip http secure-server!!!ip access-list extended peer-outsidepermit ip host 192.168.0.1 host 172.16.0.1!!control-plane!!line con 0exec-timeout 0 0transport preferred alltransport output allline aux 0transport preferred alltransport output allline vty 0 4logintransport preferred alltransport input alltransport output all!endHa-R2#Configuring IPSec Stateful Failover for an Easy VPN Server: Example
The following sample outputs from the show running-config command show how to configure stateful failover for a remote access connection via an Easy VPN server:
Stateful Failover for an Easy VPN Server Configuration on RAHA-R1
RAHA-R1# show running-configBuilding configuration...Current configuration :3829 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname RAHA-R1!boot-start-markerboot-end-marker!redundancy inter-devicescheme standby HA-out!username remote_user password 0 letmein!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1remote-port 5000remote-ip 10.0.0.2!aaa new-model!!! Enter the following command if you are doing Xauth locally.aaa authentication login local_xauth local!! Enter the following command if you are doing Xauth remotely via RADIUS.!aaa authentication login radius_xauth group radius!! Enter the following command if you are not doing Xauth!aaa authentication login no_xauth none!! Enter the following command if you are doing local group authentication.aaa authorization network local_auth local!! Enter the following command if you are doing group authentication remotely via RADIUS.!aaa authorization network radius_auth group radius!!! Enter the following command if you are doing Xauth remotely via RADIUS.!aaa accounting network radius_accounting start-stop group radiusaaa session-id commonip subnet-zero!crypto isakmp policy 1encr 3deshash md5authentication pre-sharegroup 2!!! Enter the following command if you are doing group authentication locally.crypto isakmp client configuration group unitykey cisco123domain cisco.compool client-address-pool!!crypto ipsec transform-set trans1 esp-3des esp-sha-hmac!crypto dynamic-map to-remote-client 10set transform-set trans1reverse-route remote-peer!! Use this map if you want to do local group authentication and Xauth.crypto map to_peer_outside_local_xauth client authentication list local_xauthcrypto map to_peer_outside_local_xauth isakmp authorization list local_authcrypto map to_peer_outside_local_xauth client configuration address respondcrypto map to_peer_outside_local_xauth 10 ipsec-isakmp dynamic to-remote-client!! Use this map if you want to use Radius for group authentication and Xauth.!crypto map to_peer_outside_radius_xauth isakmp client authentication list radius_xauth!crypto map to_peer_outside_radius_xauth client accounting list radius_accounting!crypto map to_peer_outside_radius_xauth isakmp authorization list radius_auth!crypto map to_peer_outside_radius_xauth isakmp client configuration address respond!crypto map to_peer_outside_radius_xauth isakmp 10 ipsec-isakmp dynamic to-remote-client!! Use this map if you want to do local group authentication and no Xauth!crypto map to_peer_outside_no_xauth isakmp authorization list local_auth!crypto map to_peer_outside_no_xauth configuration address respond!crypto map to_peer_outside_no_xauth 10 ipsec-isakmp dynamic to-remote-client!interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0standby delay reload 120crypto map to_peer_outside_local_xauth redundancy HA-out stateful!interface Ethernet1/0ip address 10.0.0.1 255.255.255.0standby 2 ip 10.0.0.3standby 2 preemptstandby 2 name HA-outstandby 2 track Ethernet0/0standby delay reload 120!! Enable loopback0 if you are using radius for Xauth, group auth, or accounting with ! crypto HA!interface loopback0! ip address 192.168.100.1 255.255.255.255!! Enable this command if you are using radius for Xauth, group auth, or accounting with ! crypto HA!ip radius source-interface loopback0!ip local pool client-address-pool 50.0.0.1 50.0.0.254ip classlessip route 0.0.0.0 0.0.0.0 209.165.201.5ip route 192.168.0.0 255.255.255.0 10.0.0.5!radius-server host 192.168.0.0 255.255.0.0 auth-port 1845 acct-port 1846radius-server key radius123!control-plane!!line con 0exec-timeout 0 0line aux 0line vty 0 4!endStateful Failover for an Easy VPN Server Configuration on RAHA-R2
RAHA-R2# show running-configBuilding configuration...Current configuration :3829 bytes!version 12.3service timestamps debug datetime msecservice timestamps log datetime msecno service password-encryption!hostname RAHA-R2!boot-start-markerboot-end-marker!redundancy inter-devicescheme standby HA-out!username remote_user password 0 letmein!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.2remote-port 5000remote-ip 10.0.0.1!aaa new-model!!! Enter the following command if you are doing Xauth locally.aaa authentication login local_xauth local!! Enter the following command if you are doing Xauth remotely via RADIUS.!aaa authentication login radius_xauth group radius!! Enter the following command if you are not doing Xauth.!aaa authentication login no_xauth none!! Enter the following command if you are doing local group authentication.aaa authorization network local_auth local!! Enter the following command if you are doing group authentication remotely via RADIUS.!aaa authorization network radius_auth group radius!!! Enter the following command if you are doing Xauth remotely via RADIUS.!aaa accounting network radius_accounting start-stop group radiusaaa session-id commonip subnet-zero!crypto isakmp policy 1encr 3deshash md5authentication pre-sharegroup 2!!! Enter the following commands if you are doing group authentication locally.crypto isakmp client configuration group unitykey cisco123domain cisco.compool client-address-pool!!crypto ipsec transform-set trans1 esp-3des esp-sha-hmac!crypto dynamic-map to-remote-client 10set transform-set trans1reverse-route remote-peer!!! Use this map if you want to dolocal group authentication and Xauth.crypto map to_peer_outside_local_xauth client authentication list local_xauthcrypto map to_peer_outside_local_xauth isakmp authorization list local_authcrypto map to_peer_outside_local_xauth client configuration address respondcrypto map to_peer_outside_local_xauth 10 ipsec-isakmp dynamic to-remote-client!! Use this map if you want to use Radius for group authentication and Xauth.!crypto map to_peer_outside_radius_xauth isakmp client authentication list radius_xauth!crypto map to_peer_outside_radius_xauth client accounting list radius_accounting!crypto map to_peer_outside_radius_xauth isakmp authorization list radius_auth!crypto map to_peer_outside_radius_xauth isakmp client configuration address respond!crypto map to_peer_outside_radius_xauth isakmp 10 ipsec-isakmp dynamic to-remote-client!!! Use this map if you want to do local authentication and no Xauth.!crypto map to_peer_outside_no_xauth isakmp authorization list local_auth!crypto map to_peer_outside_no_xauth configuration address respond!crypto map to_peer_outside_no_xauth 10 ipsec-isakmp dynamic to-remote-client!interface Ethernet0/0ip address 209.165.201.2 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0standby delay reloadcrypto map to_peer_outside_local_xauth redundancy HA-out stateful!interface Ethernet1/0ip address 10.0.0.2 255.255.255.0standby 2 ip 10.0.0.3standby 2 preemptstandby 2 name HA-outstandby 2 track Ethernet0/0standby delay reload!! Enable loopback0 if you are using radius for Xauth, group auth, or accounting with ! crypto HA!interface loopback0! ip address 192.168.100.1 255.255.255.255!! Enable this command if you are using radius for Xauth, group auth, or accounting with ! crypto HA!ip radius source-interface loopback0!ip local pool client-address-pool 50.0.0.1 50.0.0.254ip classlessip route 0.0.0.0 0.0.0.0 209.165.201.5ip route 192.168.0.0 255.255.0.0!radius-server host 192.168.0.200 auth-port 1845 acct-port 1846radius-server key radius123!control-plane!!!line con 0exec-timeout 0 0line aux 0line vty 0 4!endAdditional References
The following sections provide references related to stateful failover for IPSec.
Related Documents
RRI
IPSec VPN High Availability Enhancements, Cisco IOS Release 12.2(11)T feature module
HSRP
The section "Configuring the Hot Standby Router Protocol" within the chapter "Configuring IP Services" of the Cisco IOS IP Configuration Guide, Release 12.3
Easy VPN Server
Cisco Easy VPN Remote, Cisco IOS Release 12.3(7)T feature module
IPSec and IKE configuration
The section "IP Security and Encryption" in the Cisco IOS Security Configuration Guide, Release 12.3
IPSec and IKE commands
Standards
MIBs
None
To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:
RFCs
Technical Assistance
Command Reference
This section documents only new and modified commands.
New Commands
•
•
•
clear crypto isakmp
To clear active Internet Key Exchange (IKE) connections, use the clear crypto isakmp command in privileged EXEC mode.
clear crypto isakmp [connection-id] [active | standby]
Syntax Description
Command Modes
Privileged EXEC
Command History
11.3 T
This command was introduced.
12.3(11)T
The active and standby keywords were added.
Usage Guidelines
Caution
Examples
The following example clears an IKE connection between two peers connected by interfaces 172.21.114.123 and 172.21.114.67:
Router# show crypto isakmp sadst src state conn-id slot172.21.114.123 172.21.114.67 QM_IDLE 1 0209.165.201.1 209.165.201.2 QM_IDLE 8 0Router# clear crypto isakmp 1Router# show crypto isakmp sadst src state conn-id slot209.165.201.1 209.165.201.2 QM_IDLE 8 0Router#Related Commands
clear crypto sa
To delete IP Security (IPSec) security associations (SAs), use the clear crypto sa command in privileged EXEC mode.
clear crypto sa [active | standby]
Virtual Routing and Forwarding (VRF) Syntax
clear crypto sa peer [vrf fvrf-name] address
clear crypto sa [vrf ivrf-name]
Crypto Map Syntax
clear crypto sa map map-name
IP Address, Security Protocol Standard, and SPI Syntax
clear crypto sa entry destination-address protocol spi
Traffic Counters Syntax
clear crypto sa counters
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
This command clears (deletes) IPSec SAs.
If the SAs were established via Internet Key Exchange (IKE), they are deleted and future IPSec traffic will require new SAs to be negotiated. (When IKE is used, the IPSec SAs are established only when needed.)
If the SAs are manually established, the SAs are deleted and reinstalled. (When IKE is not used, the IPSec SAs are created as soon as the configuration is completed.)
Note
•
•
•
•
If any of the above commands cause a particular SA to be deleted, all the "sibling" SAs—that were established during the same IKE negotiation—are deleted as well.
The counters keyword simply clears the traffic counters maintained for each SA; it does not clear the SAs themselves.
If you make configuration changes that affect SAs, these changes will not apply to existing SAs but to negotiations for subsequent SAs. You can use the clear crypto sa command to restart all SAs so that they will use the most current configuration settings. In the case of manually established SAs, if you make changes that affect SAs you must use the clear crypto sa command before the changes take effect.
If the router is processing active IPSec traffic, it is suggested that you clear only the portion of the SA database that is affected by the changes, to avoid causing active IPSec traffic to temporarily fail.
Note that this command clears only IPSec SAs; to clear IKE state, use the clear crypto isakmp command.
Examples
The following example clears (and reinitializes if appropriate) all IPSec SAs at the router:
clear crypto saThe following example clears (and reinitializes if appropriate) the inbound and outbound IPSec SAs established, along with the SA established for address 10.0.0.1 using the AH protocol with the SPI of 256:
clear crypto sa entry 10.0.0.1 AH 256The following example clears all the SAs for VRF VPN1:
clear crypto sa vrf vpn1Related Commands
clear crypto session
To delete crypto sessions (IP Security [IPSec] and Internet Key Exchange [IKE] security associations [SAs]), use the clear crypto session command in privileged EXEC mode.
clear crypto session [local ip-address [port local-port]] [remote ip-address [port remote-port]] | [fvrf vrf-name] [ivrf vrf-name]
IPSec and IKE Stateful Failover Syntax
clear crypto session [active | standby]
Syntax Description
Defaults
If the clear crypto session command is entered without any keywords, all existing sessions will be deleted. The IPSec SAs will be deleted first, then the IKE SAs. Port default values are 500.
Command Modes
Privileged EXEC
Command History
12.3(4)T
This command was introduced.
12.3(11)T
The active and standby keywords were added.
Usage Guidelines
To clear a specific crypto session or a subset of all the sessions, you need to provide session-specific parameters, such as a local or remote IP address, a local or remote port, an FVRF name, or an IVRF name.
If a local IP address is provided as a parameter when you use the clear crypto session command, all the sessions (and their IKE SAs and IPSec SAs) that share the IP address as a local crypto endpoint (IKE local address) will be deleted.
Examples
The following example shows that all crypto sessions will be deleted:
Router# clear crypto sessionThe following example shows that the crypto session of the FVRF named "blue" will be deleted:
Router# clear crypto session fvrf blueThe following example shows that the crypto sessions of the FVRF "blue" and the IVRF session "green" will be deleted:
Router# clear crypto session fvrf blue ivrf greenThe following example shows that the crypto sessions of the local endpoint 10.1.1.1 and remote endpoint 10.2.2.2 will be deleted. The local endpoint port is 5, and the remote endpoint port is 10.
Router# clear crypto session local 10.1.1.1 port 5 remote 10.2.2.2 port 10=Related Commands
crypto map (interface IPSec)
To apply a previously defined crypto map set to an interface, use the crypto map command in interface configuration mode. To remove the crypto map set from the interface, use the no form of this command.
crypto map map-name [redundancy standby-group-name[stateful]]
no crypto map [map-name] [redundancy standby-group-name [stateful]]
Syntax Description
Defaults
No crypto maps are assigned to interfaces.
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to assign a crypto map set to an interface. You must assign a crypto map set to an interface before that interface can provide IPSec services. Only one crypto map set can be assigned to an interface. If multiple crypto map entries have the same map name but a different sequence number, they are considered to be part of the same set and will all be applied to the interface. The crypto map entry that has the lowest sequence number is considered the highest priority and will be evaluated first. A single crypto map set can contain a combination of ipsec-isakmp and ipsec-manual crypto map entries.
The standby name must be configured on all devices in the standby group, and the standby address must be configured on at least one member of the group. If the standby name is removed from the router, the IPSec security associations (SAs) will be deleted. If the standby name is added again, regardless of whether the same name or a different name is used, the crypto map (using the redundancy option) will have to be reapplied to the interface.
Note
The stateful keyword enables stateful failover of IKE and IPSec sessions. Stateful Switch Over (SSO) must also be configured for IPSec stateful failover to operate correctly.
Examples
The following example shows how all remote Virtual Private Network (VPN) gateways connect to the router via 192.168.0.3:
crypto map mymap 1 ipsec-isakmpset peer 10.1.1.1reverse-routeset transform-set esp-3des-shamatch address 102Interface FastEthernet 0/0ip address 192.168.0.2 255.255.255.0standby name group1standby ip 192.168.0.3crypto map mymap redundancy group1access-list 102 permit ip 192.168.1.0 0.0.0.255 10.0.0.0 0.0.255.255The crypto map on the interface binds this standby address as the local tunnel endpoint for all instances of "mymap" and, at the same time, ensures that stateless HSRP failover is facilitated between an active and standby device that belongs to the same standby group, "group1."
Reverse route injection (RRI) is also enabled to provide the ability for only the active device in the HSRP group to be advertising itself to inside devices as the next hop VPN gateway to the remote proxies. If a failover occurs, routes are deleted on the former active device and created on the new active device.
The following example shows how to configure IPSec stateful failover on the crypto map "to-peer-outside":
crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outsideinterface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0crypto map to-peer-outside redundancy HA-out stateful
Related Commands
crypto map redundancy replay-interval
To modify the interval at which inbound and outbound replay updates are passed from an active device to a standby device, use the crypto map redundancy replay-interval command in global configuration mode. To return to the default functionality, use the no form of this command.
crypto map map-name redundancy replay-interval inbound in-value outbound out-value
no crypto map map-name redundancy replay-interval inbound in-value outbound out-value
Syntax Description
Defaults
inbound in-value: one update every 1,000 packets
outbound out-value: one update every 100,000 packets
Command Modes
Global configuration
Command History
Usage Guidelines
Note
Stateful failover enables a router to continue processing and forwarding packets after a planned or unplanned outage occurs; that is, a backup (secondary) router automatically takes over the tasks of the active (primary) router if the active router loses connectivity for any reason.
The crypto map redundancy replay-interval command allows you to modify the interval in which an IP redundancy-enabled crypto map sends anti-replay updates from the active router to the standby router.
Examples
The following example shows how to enable replay checking for the crypto map "to-peer-outside" and enable IPSec stateful failover:
crypto map to-peer-outside redundancy replay-interval inbound 1000 outbound 10000crypto map to-peer-outside 10 ipsec-isakmpset peer 209.165.200.225set transform-set trans1match address peer-outside!interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 preemptstandby 1 name HA-outstandby 1 track Ethernet1/0crypto map to-peer-outside redundancy HA-out stateful
debug crypto ha
To display crypto high availability debugging information, use the debug crypto ha command in privileged EXEC mode. To disable debugging messages, use the no form of this command.
debug crypto ha
no debug crypto ha
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example is sample output from the debug crypto ha command:
Router# debug crypto haActive router:Router# show debugCryptographic Subsystem:Crypto High Availability Manager debugging is onvrf-lite-R1#*Sep 28 21:27:50.899:Sending IKE Add SA Message*Sep 28 21:27:50.899:HA Message 0:flags=0x01 len=394 HA_IKE_MSG_ADD_SA (2)*Sep 28 21:27:50.899: ID:04000003*Sep 28 21:27:50.899: attr HA_IKE_ATT_MY_COOKIE (2) len 8*Sep 28 21:27:50.899: 9B 1A 76 AA 99 11 1A 1F*Sep 28 21:27:50.899: attr HA_IKE_ATT_HIS_COOKIE (3) len 8*Sep 28 21:27:50.899: E2 A2 A3 5F 53 1D EA 15*Sep 28 21:27:50.899: attr HA_IKE_ATT_SRC (4) len 4*Sep 28 21:27:50.899: 04 00 00 05*Sep 28 21:27:50.899: attr HA_IKE_ATT_DST (5) len 4*Sep 28 21:27:50.899: 04 00 00 03*Sep 28 21:27:50.899: attr HA_IKE_ATT_PEER_PORT (6) len 2*Sep 28 21:27:50.899: 01 F4*Sep 28 21:27:50.899: attr HA_IKE_ATT_F_VRF (7) len 1*Sep 28 21:27:50.899: 00*Sep 28 21:27:50.899: attr HA_IKE_ATT_INIT_OR_RESP (8) len 1*Sep 28 21:27:50.899: 00*Sep 28 21:27:50.899: attr HA_IKE_ATT_NAT_DISCOVERY (9) len 1*Sep 28 21:27:50.899: 02*Sep 28 21:27:50.899: attr HA_IKE_ATT_IDTYPE (38) len 1*Sep 28 21:27:50.899: 01*Sep 28 21:27:50.899: attr HA_IKE_ATT_PROTOCOL (39) len 1*Sep 28 21:27:50.899: 11*Sep 28 21:27:50.899: attr HA_IKE_ATT_PORT (40) len 2*Sep 28 21:27:50.899: 01 F4*Sep 28 21:27:50.899: attr HA_IKE_ATT_ADDR (41) len 4*Sep 28 21:27:50.899: 04 00 00 05*Sep 28 21:27:50.899: attr HA_IKE_ATT_MASK (42) len 4*Sep 28 21:27:50.899: 00 00 00 00*Sep 28 21:27:50.899: attr HA_IKE_ATT_ID_STR (44) len 4*Sep 28 21:27:50.899: 00 00 00 00*Sep 28 21:27:50.899: attr HA_IKE_ATT_PEERS_CAPABILITIES (11) len 4*Sep 28 21:27:50.899: 00 00 07 7F*Sep 28 21:27:50.899: attr HA_IKE_ATT_MY_CAPABILITIES (12) len 4*Sep 28 21:27:50.899: 00 00 07 7F*Sep 28 21:27:50.899: attr HA_IKE_ATT_STATE_MASK (13) len 4*Sep 28 21:27:50.899: 00 00 27 FF...Related Commands
debug crypto ipsec ha
Enables debugging messages for IPSec high availability.
debug crypto isakmp ha
Enables debugging messages for ISAKMP high availability.
debug crypto ipsec ha
To enable debugging messages for IP Security (IPSec) high availability, use the debug crypto ipsec ha command in privileged EXEC mode. To disable debugging messages, use the no form of this command.
debug crypto ipsec ha [detail | update]
no debug crypto ipsec ha [detail | update]
Syntax Description
detail
(Optional) Displays detailed debug information.
update
(Optional) Displays updates for inbound and outbound related data.
Command Modes
Privileged EXEC
Command History
Examples
The following example is sample output of the debug crypto ipsec ha command for both the active and stanby router:
Active RouterRouter# debug crypto ipsec haCrypto IPSEC High Availability debugging is on*Sep 29 17:03:01.851:IPSec HA (crypto_ha_ipsec_notify_add_sa):called*Sep 29 17:03:01.851:IPSec HA (crypto_ha_ipsec_notify_add_sa):New IPsec SA added... notifying HA MgrStandby RouterRouter# debug crypto ipsec haCrypto IPSEC High Availability debugging is onvrf-lite-R1#*Sep 29 17:03:01.031:IPSec HA (crypto_ha_ipsec_mgr_recv_add_sas):HA mgr wants to insert the following bundle*Sep 29 17:03:01.031:IPSec HA (crypto_ha_ipsec_mgr_recv_add_sas):This SA Supports DPD*Sep 29 17:03:01.031:IPSec HA (crypto_ha_ipsec_gen_sa):Sending Kei to IPSec num_kei 2*Sep 29 17:03:01.039:IPSec HA (crypto_ha_ipsec_notify_add_sa):called*Sep 29 17:03:01.039:IPSec HA (crypto_ha_ipsec_notify_add_sa):operation not performed as standby ip 4.0.0.3The following example is sample debug output with the detail keyword:
Active Router*Sep 29 17:05:48.803:IPSec HA (crypto_ha_ipsec_mgr_set_state_common):called for vip 4.0.0.3*Sep 29 17:06:11.655:IPSec HA (crypto_ha_ipsec_mgr_bulk_sync_sas):Bulk sync request from standby for local addr 4.0.0.3*Sep 29 17:06:44.059:IPSec HA (crypto_ha_ipsec_notify_add_sa):called*Sep 29 17:06:44.059:IPSec HA (crypto_ha_ipsec_notify_add_sa):New IPsec SA added... notifying HA MgrStandby RouterRouter# debug crypto ipsec ha detailCrypto IPSEC High Availability Detail debugging is onvrf-lite-R1#*Sep 29 17:06:44.063:IPSec HA (crypto_ha_ipsec_mgr_recv_add_sas):HA mgr wants to insert the following bundle*Sep 29 17:06:44.063:IPSec HA (crypto_ha_ipsec_mgr_recv_add_sas):This SA Supports DPD*Sep 29 17:06:44.063:IPSec HA (crypto_ha_ipsec_gen_sa):Sending Kei to IPSec num_kei 2*Sep 29 17:06:44.071:IPSec HA (crypto_ha_ipsec_notify_add_sa):called*Sep 29 17:06:44.071:IPSec HA (crypto_ha_ipsec_notify_add_sa):operation not performed as standby ip 4.0.0.3The following example is sample debug output with the update keyword:
Active Router*Sep 29 17:27:30.839:IPSec HA(check_and_send_replay_update):Replay triggered update seq_num 1000 last-sent 0 dir inbound*Sep 29 17:27:30.839:IPSec HA(create_update_struct):Sending inbound update*Sep 29 17:27:30.839:IPSec HA(send_update_struct):Outbound - New KB 0, New replay 0Inbound - New KB 3998772, New replay 1000*Sep 29 17:29:30.883:IPSec HA(check_and_send_replay_update):Replay triggered update seq_num 2000 last-sent 1000 dir inbound*Sep 29 17:29:30.883:IPSec HA(create_update_struct):Sending inbound update*Sep 29 17:29:30.883:IPSec HA(send_update_struct):Outbound - New KB 0, New replay 0Inbound - New KB 3998624, New replay 2000*Sep 29 17:30:30.899:IPSec HA(check_and_send_replay_update):Replay triggered update seq_num 3000 last-sent 2000 dir inbound*Sep 29 17:30:30.899:IPSec HA(create_update_struct):Sending inbound update*Sep 29 17:30:30.899:IPSec HA(send_update_struct):Outbound - New KB 0, New replay 0Inbound - New KB 3998476, New replay 3000*Sep 29 17:32:30.943:IPSec HA(check_and_send_replay_update):Replay triggered update seq_num 4000 last-sent 3000 dir inbound*Sep 29 17:32:30.943:IPSec HA(create_update_struct):Sending inbound update*Sep 29 17:32:30.943:IPSec HA(send_update_struct):Outbound - New KB 0, New replay 0Inbound - New KB 3998327, New replay 4000Standby Router*Sep 29 17:27:28.887:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):called*Sep 29 17:27:28.887:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):UPDATING INBOUND SA:ip = 4.0.0.3, protocol = 50, spi = B8A47EC9,NEW KB LIFE = 3998772,NEW REPLAY WINDOW START = 1000,*Sep 29 17:29:28.915:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):called*Sep 29 17:29:28.915:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):UPDATING INBOUND SA:ip = 4.0.0.3, protocol = 50, spi = B8A47EC9,NEW KB LIFE = 3998624,NEW REPLAY WINDOW START = 2000,*Sep 29 17:30:28.939:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):called*Sep 29 17:30:28.939:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):UPDATING INBOUND SA:ip = 4.0.0.3, protocol = 50, spi = B8A47EC9,NEW KB LIFE = 3998476,NEW REPLAY WINDOW START = 3000,*Sep 29 17:32:28.955:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):called*Sep 29 17:32:28.955:IPSec HA(crypto_ha_ipsec_mgr_recv_update_sa):UPDATING INBOUND SA:ip = 4.0.0.3, protocol = 50, spi = B8A47EC9,NEW KB LIFE = 3998327,NEW REPLAY WINDOW START = 4000,Related Commands
debug crypto ha
Displays crypto high availability debugging information.
debug crypto isakmp ha
Enables debugging messages for ISAKMP high availability.
debug crypto isakmp ha
To enable debugging messages for Internet Security Association and Key Management Protocol (ISAKMP) high availability, use the debug crypto isakmp ha command in privileged EXEC mode. To disable debugging messages, use the no form of this command.
debug crypto isakmp ha [detail]
no debug crypto isakmp ha [detail]
Syntax Description
Command Modes
Privileged EXEC
Command History
Examples
The following example is sample output for a standby router from the debug crypto isakmp ha command:
Active Routerno debug messageStandby RouterRouter# debug crypto isakmp haCrypto ISAKMP High Availability debugging is onvrf-lite-R1#*Sep 28 21:54:41.815:IKE HA:(4.0.0.3) Adding STANDBY IKE SA*Sep 28 21:54:41.843:IKE HA:Create peer struct for local 4.0.0.3 remote 4.0.0.5 & locked*Sep 28 21:54:41.843:IKE HA:IKE SA inserted on standby with src = 4.0.0.5, dst = 4.0.0.3The following example is displayed when the detail keyword is issued. (Note that debug output without issuing the detail keyword is the same as the debug output with detail keyword.)
Active RouterRouter# debug crypto isakmp ha detailCrypto ISAKMP High Availability detailed debugging is onvrf-lite-R1#*Sep 29 16:59:15.035:IKE HA:IKE SA is already failed overStandby RouterRouter# debug crypto isakmp ha detailCrypto ISAKMP High Availability detailed debugging is onvrf-lite-R2#*Sep 29 16:59:14.371:IKE HA:(4.0.0.3) Adding STANDBY IKE SA*Sep 29 16:59:14.411:IKE HA:Create peer struct for local 4.0.0.3 remote 4.0.0.5 & locked*Sep 29 16:59:14.411:IKE HA:IKE SA inserted on standby with src = 4.0.0.5, dst = 4.0.0.3Related Commands
debug crypto ha
Displays crypto high availability debugging information.
debug crypto ipsec ha
Enables debugging messages for IPSec high availability.
local-ip (IPC transport-SCTP local)
To define at least one local IP address that is used to communicate with the local peer, use the local-ip command in IPC transport-SCTP local configuration mode. To remove one or all IP addresses from your configuration, use the no form of this command.
local-ip device-real-ip-address [device-real-ip-address2]
no local-ip device-real-ip-address [device-real-ip-address2]
Syntax Description
Defaults
No IP addresses are defined; thus, peers cannot communicate with the local peer.
Command Modes
IPC transport-SCTP local configuration
Command History
Usage Guidelines
Use the local-ip command to help associate Stream Control Transmission Protocol (SCTP) as the transport protocol between the local and remote peer.
This command is part of a suite of commands used to configure the Stateful Switchover (SSO) protocol. SSO is necessary for IP Security (IPSec) and Internet Key Exchange (IKE) to learn about the redundancy state of the network and to synchronize their internal application state with their redundant peers.
Examples
The following example shows how to enable SSO:
!redundancy inter-devicescheme standby HA-in!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1remote-port 5000remote-ip 10.0.0.2Related Commands
local-port
To define the local Stream Control Transmission Protocol (SCTP) port that is used to communicate with the redundant peer, use the local-port command in SCTP protocol configuration mode. .
local-port local-port-number
Syntax Description
local-port-number
Local port number, which should be the same as the remote port number on the peer router (which is specified via the remote-port command).
Defaults
A local SCTP port is not defined.
Command Modes
SCTP protocol configuration
Command History
Usage Guidelines
The local-port command enters IPC transport-SCTP local configuration mode, which allows you to specify at least one local IP address (via the local-ip command) that is used to communicate with the redundant peer.
Examples
The following example shows how to enable Stateful Switchover (SSO):
!redundancy inter-devicescheme standby HA-in!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1remote-port 5000remote-ip 10.0.0.2Related Commands
redundancy inter-device
To enter inter-device configuration mode, use the redundancy inter-device command in global configuration mode. To exit inter-device configuration mode, use the exit command. To remove all inter-device configuration, use the no form of this command.
redundancy inter-device
no redundancy inter-device
Syntax Description
This command has no arguments or keywords.
Defaults
If this command is not enabled, you cannot configure stateful failover for IPSec.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the redundancy inter-device command to enter inter-device configuration mode, which allows you to enable and protect Stateful Switchover (SSO) traffic.
Examples
The following example shows how to issue the redundancy inter-device command when enabling SSO:
redundancy inter-devicescheme standby HA-in!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1remote-port 5000remote-ip 10.0.0.2!The following example shows how to issue the redundancy inter-device command when configuring SSO traffic protection:
crypto ipsec transform-set trans2 ah-md5-hmac esp-aes!crypto ipsec profile sso-secureset transform-set trans2!redundancy inter-devicescheme standby HA-insecurity ipsec sso-secureRelated Commands
redundancy stateful
To configure stateful failover for tunnels using IP Security (IPSec), use the redundancy stateful command in crypto map configuration mode. To disable stateful failover for tunnel protection, use the no form of this command.
redundancy standby-group-name stateful
no redundancy standby-group-name stateful
Syntax Description
Defaults
Stateful failover is not enabled for IPSec tunnels.
Command Modes
Crypto map configuration
Command History
Usage Guidelines
The redundancy stateful command uses an existing IPSec profile (which is specified via the crypto ipsec profile command) to configure IPSec stateful failover for tunnel protection. (You do not configure the tunnel interface as you would with a crypto map configuration.) IPSec stateful failover enables you to define a backup IPSec peer (secondary) to take over the tasks of the active (primary) router if the active router is deemed unavailable.
The tunnel source address must be a VIP address, and it must not be an interface name.
Examples
The following example shows how to configure stateful failover for tunnel protection:
crypto ipsec profile peer-profileredundancy HA-out statefulinterface Tunnel1ip unnumbered Loopback0tunnel source 209.165.201.3tunnel destination 10.0.0.5tunnel protection ipsec profile peer-profile!interface Ethernet0/0ip address 209.165.201.1 255.255.255.224standby 1 ip 209.165.201.3standby 1 name HA-outRelated Commands
crypto ipsec profile
Defines the IPSec parameters that are to be used for IPSec encryption between two routers and enters crypto map configuration mode.
remote-ip (IPC transport-SCTP remote)
To define at least one IP address of the redundant peer that is used to communicate with the local device, use the remote-ip command in IPC transport-SCTP remote configuration mode. To remove one or all IP addresses from your configuration, use the no form of this command.
remote-ip peer-real-ip-address [peer-real-ip-address2]
no remote-ip peer-real-ip-address [peer-real-ip-address2]
Syntax Description
Defaults
No IP addresses are defined.
Command Modes
IPC transport-SCTP remote configuration
Command History
Usage Guidelines
Use the remote-ip command to help associate Stream Control Transmission Protocol (SCTP) as the transport protocol between the local and remote peer.
This command is part of a suite of commands used to configure the Stateful Switch Over (SSO) protocol. SSO is necessary for IP Security (IPSec) and Internet Key Exchange (IKE) to learn about the redundancy state of the network and to synchronize their internal application state with their redundant peers.
Examples
The following example shows how to enable SSO:
redundancy inter-devicescheme standby HA-in!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1remote-port 5000remote-ip 10.0.0.2Related Commands
remote-port
To define the remote Stream Control Transmission Protocol (SCTP) port that is used to communicate with the redundant peer, use the remote-port command in SCTP protocol configuration mode.
remote-port remote-port-number
Syntax Description
remote-port-number
Remote port number, which should be the same as the local port number on the peer router (which is specified via the local-port command).
Defaults
A remote SCTP port is not defined.
Command Modes
SCTP protocol configuration
Command History
Usage Guidelines
The remote-port command enters IPC transport-SCTP remote configuration mode, which allows you to specify at least one remote IP address (via the remote-ip command) that is used to communicate with the redundant peer.
Examples
The following example shows how to enable Stateful Switchover (SSO):
redundancy inter-devicescheme standby HA-in!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1remote-port 5000remote-ip 10.0.0.2Related Commands
scheme
To define the redundancy scheme that is used between two devices, use the scheme command in inter-device configuration mode. To disable the redundancy scheme, use the no form of this command.
scheme standby standby-group-name
no scheme standby standby-group-name
Syntax Description
Defaults
A redundancy scheme is not specified.
Command Modes
Inter-device configuration
Command History
Usage Guidelines
Only the active or standby state of the standby group is used for Stateful Switchover (SSO). The virtual IP (VIP) address of the standby group is not required or used by SSO. Also, the standby group does not have to be part of any crypto map configuration.
Examples
The following example shows how to enable SSO and define the standby scheme that is to be used by the active and standby devices:
redundancy inter-devicescheme standby HA-in!!ipc zone defaultassociation 1no shutdownprotocol sctplocal-port 5000local-ip 10.0.0.1remote-port 5000remote-ip 10.0.0.2Related Commands
security ipsec
To apply a previously configured IP Security (IPSec) profile to the redundancy group communications, use the security ipsec command in inter-device configuration mode. To remove the IPSec profile from the configuration, use the no form of this command.
security ipsec profile-name
no security [ipsec [profile-name]]
Syntax Description
Defaults
The redundancy group is not secured.
Command Modes
Inter-device configuration
Command History
Usage Guidelines
The security ipsec command allows you to secure a redundancy group via a previously configured IPSec profile. If you are certain that the Stateful Switchover (SSO) traffic between the redundancy group runs on a physically secure interface, you do not have to configure this command.
Note
Examples
The following example shows how to configure SSO traffic protection:
crypto ipsec transform-set trans2 ah-md5-hmac esp-aes!crypto ipsec profile sso-secureset transform-set trans2!redundancy inter-devicescheme standby HA-insecurity ipsec sso-secureRelated Commands
show crypto ha
To display all virtual IP (VIP) addresses that are currently in use by IP Security (IPSec) and Internet Key Exchange (IKE), use the show crypto ha command in privileged EXEC mode.
show crypto ha
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following output from the show crypto ha command shows all VIP addresses that are being used by IPSec and IKE:
Router# show crypto haIKE VIP: 209.165.201.3stamp: 74 BA 70 27 9C 4F 7F 81 3A 70 13 C9 65 22 E7 76IKE VIP: 255.255.255.253stamp: Not setIKE VIP: 255.255.255.254stamp: Not setIPSec VIP: 209.165.201.3IPSec VIP: 255.255.255.253IPSec VIP: 255.255.255.254show crypto ipsec sa
To display the settings used by current security associations (SAs), use the show crypto ipsec sa command in privileged EXEC mode.
show crypto ipsec sa [map map-name | address | identity | interface interface | peer [vrf fvrf-name] address | vrf ivrf-name] [detail]
IPSec and IKE Stateful Failover Syntax
show crypto ipsec sa [active | standby]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
If no keyword is used, all SAs are displayed. They are sorted first by interface, and then by traffic flow (for example, source or destination address, mask, protocol, or port). Within a flow, the SAs are listed by protocol (ESP or AH) and direction (inbound or outbound).
Examples
The following is sample output for the show crypto ipsec sa command:
Router# show crypto ipsec sa vrf vpn2interface: Ethernet1/2Crypto map tag: ra, local addr. 172.16.1.1protected vrf: vpn2local ident (addr/mask/prot/port): (0.0.0.0/0.0.0.0/0/0)remote ident (addr/mask/prot/port): (10.4.1.4/255.255.255.255/0/0)current_peer: 10.1.1.1:500PERMIT, flags={}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest 0#pkts decaps: 0, #pkts decrypt: 0, #pkts verify 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 172.16.1.1, remote crypto endpt.: 10.1.1.1path mtu 1500, media mtu 1500current outbound spi: 50110CF8inbound esp sas:spi: 0xA3E24AFD(2749516541)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5127, flow_id: 7, crypto map: rasa timing: remaining key lifetime (k/sec): (4603517/3503)IV size: 8 bytesreplay detection support: Yinbound ah sas:inbound pcp sas:outbound esp sas:spi: 0x50110CF8(1343294712)transform: esp-3des esp-md5-hmac ,in use settings ={Tunnel, }slot: 0, conn id: 5128, flow_id: 8, crypto map: rasa timing: remaining key lifetime (k/sec): (4603517/3502)IV size: 8 bytesreplay detection support: Youtbound ah sas:outbound pcp sas:The following configuration was in effect when the above show crypto ipsec sa vrf command was issued. The IPSec remote access tunnel was "UP" when this command was issued.
crypto dynamic-map vpn1 1set transform-set vpn1set isakmp-profile vpn1-rareverse-route!crypto dynamic-map vpn2 1set transform-set vpn2set isakmp-profile vpn2-rareverse-route!!crypto map ra 1 ipsec-isakmp dynamic vpn1crypto map ra 2 ipsec-isakmp dynamic vpn2
IPSec and IKE Stateful Failover Examples
The following sample output shows the IPSec SA status of only the active device:
Router# show crypto ipsec sa activeinterface: Ethernet0/0Crypto map tag: to-peer-outside, local addr 209.165.201.3protected vrf: (none)local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/0/0)current_peer 209.165.200.225 port 500PERMIT, flags={origin_is_acl,}#pkts encaps: 3, #pkts encrypt: 3, #pkts digest: 3#pkts decaps: 4, #pkts decrypt: 4, #pkts verify: 4#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 209.165.201.3, remote crypto endpt.: 209.165.200.225path mtu 1500, media mtu 1500current outbound spi: 0xD42904F0(3559458032)inbound esp sas:spi: 0xD3E9ABD0(3555306448)transform: esp-3des ,in use settings ={Tunnel, }conn id: 2006, flow_id: 6, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4586265/3542)HA last key lifetime sent(k): (4586267)ike_cookies: 9263635C CA4B4E99 C14E908E 8EE2D79CIV size: 8 bytesreplay detection support: YStatus: ACTIVEThe following sample output shows the IPSec SA status of only the standby device:
Router# show crypto ipsec sa standbyinterface: Ethernet0/0Crypto map tag: to-peer-outside, local addr 209.165.201.3protected vrf: (none)local ident (addr/mask/prot/port): (192.168.0.1/255.255.255.255/0/0)remote ident (addr/mask/prot/port): (172.16.0.1/255.255.255.255/0/0)current_peer 209.165.200.225 port 500PERMIT, flags={origin_is_acl,}#pkts encaps: 0, #pkts encrypt: 0, #pkts digest: 0#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0#pkts compressed: 0, #pkts decompressed: 0#pkts not compressed: 0, #pkts compr. failed: 0#pkts not decompressed: 0, #pkts decompress failed: 0#send errors 0, #recv errors 0local crypto endpt.: 209.165.201.3, remote crypto endpt.: 209.165.200.225path mtu 1500, media mtu 1500current outbound spi: 0xD42904F0(3559458032)inbound esp sas:spi: 0xD3E9ABD0(3555306448)transform: esp-3des ,in use settings ={Tunnel, }conn id: 2012, flow_id: 12, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4441561/3486)HA last key lifetime sent(k): (4441561)ike_cookies: 00000000 00000000 00000000 00000000IV size: 8 bytesreplay detection support: YStatus: STANDBYinbound ah sas:spi: 0xF3EE3620(4092474912)transform: ah-md5-hmac ,in use settings ={Tunnel, }conn id: 2012, flow_id: 12, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4441561/3486)HA last key lifetime sent(k): (4441561)ike_cookies: 00000000 00000000 00000000 00000000replay detection support: YStatus: STANDBYinbound pcp sas:outbound esp sas:spi: 0xD42904F0(3559458032)transform: esp-3des ,in use settings ={Tunnel, }conn id: 2011, flow_id: 11, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4441561/3485)HA last key lifetime sent(k): (4441561)ike_cookies: 00000000 00000000 00000000 00000000IV size: 8 bytesreplay detection support: YStatus: STANDBYoutbound ah sas:spi: 0x75251086(1965363334)transform: ah-md5-hmac ,in use settings ={Tunnel, }conn id: 2011, flow_id: 11, crypto map: to-peer-outsidesa timing: remaining key lifetime (k/sec): (4441561/3485)HA last key lifetime sent(k): (4441561)ike_cookies: 00000000 00000000 00000000 00000000replay detection support: YStatus: STANDBYoutbound pcp sas:
show crypto isakmp sa
To display current Internet Key Exchange (IKE) security associations (SAs), use the show crypto isakmp sa command in privileged EXEC mode.
show crypto isakmp sa [active | standby]
Syntax Description
active
(Optional) All existing IKE SAs that are in an active state are displayed.
standby
(Optional) All existing IKE SAs that are in standby state are displayed.
Command Modes
Privileged EXEC
Command History
11.3 T
This command was introduced.
12.3(11)T
The active and standby keywords were added.
Usage Guidelines
If neither the active keyword nor the standby keyword are specified, current SAs for all configured routers will be shown.
Examples
The following sample output shows the SAs of both the active and standby devices:
Router# show crypto isakmp sadst src state conn-id slot status209.165.201.3 209.165.200.225 QM_IDLE 2 0 STDBY10.0.0.1 10.0.0.2 QM_IDLE 1 0 ACTIVEThe following sample output shows the SAs of only the active device:
Router# show crypto isakmp sa activedst src state conn-id slot status209.165.201.3 209.165.200.225 QM_IDLE 5 0 ACTIVEThe following sample output shows the SAs of only the standby device:
Router# show crypto isakmp sa standbydst src state conn-id slot status209.165.201.3 209.165.200.225 QM_IDLE 5 0 STDBY209.165.201.3 209.165.200.225 QM_IDLE 1 0 STDBYTable 2 through Table 5 show the various states that may be displayed in the output of the show crypto isakmp sa command. When an Internet Security Association and Key Management Protocol (ISAKMP) SA exists, it will most likely be in its quiescent state (QM_IDLE). For long exchanges, some of the MM_xxx states may be observed.
Related Commands
crypto isakmp policy
Defines an IKE policy.
lifetime (IKE policy)
Specifies the lifetime of an IKE SA.
show crypto session
To display status information for active crypto sessions, use the show crypto session command in privileged EXEC mode.
show crypto session [detail] | [local ip-address [port local-port] [remote ip-address [port remote-port]] [detail]] | [fvfr vrf-name] [ivrf vrf-name] [detail]
IPSec and IKE Stateful Failover Syntax
show crypto session [active | standby]
Syntax Description
Defaults
If the show crypto session command is entered without any keywords, all existing sessions will be displayed. Port default values are 500.
Command Modes
Privileged EXEC
Command History
12.3(4)T
This command was introduced.
12.3(11)T
The active and standby keywords were added.
Usage Guidelines
You can get a list of all the active Virtual Private Network (VPN) sessions and of the IKE and IPSec SAs for each VPN session by entering the show crypto session command. The listing will include the following:
•
•
•
•
Multiple IKE or IPSec SAs may be established for the same peer (for the same session), in which case IKE peer descriptions will be repeated with different values for the IKE SAs that are associated with the peer and for the IPSec SAs that are serving the flows of the session.
Examples
The following example shows active VPN sessions:
Router# show crypto session detailCrypto session current statusCode: C - IKE Configuration mode, D - Dead Peer DetectionK - Keepalives, N - NAT-traversal, X - IKE Extended AuthenticationInterface: Ethernet1/0Session status: UP-NO-IKEPeer: 10.2.80.179/500 fvrf: (none) ivrf: (none)Desc: My-manual-keyed-peerPhase1_id: 10.2.80.179IPSEC FLOW: permit ip host 10.2.80.190 host 10.2.80.179Active SAs: 4, origin: manual-keyed crypto mapInbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0Interface: Ethernet1/2Session status: DOWNPeer: 10.1.1.1/500 fvrf: (none) ivrf: (none)Desc: SJC24-2-VPN-GatewayPhase1_id: 10.1.1.1IPSEC FLOW: permit ip host 10.2.2.3 host 10.2.2.2Active SAs: 0, origin: crypto mapInbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0IPSEC FLOW: permit ip 10.2.0.0/255.255.0.0 10.4.0.0/255.255.0.0Active SAs: 0, origin: crypto mapInbound: #pkts dec'ed 0 drop 0 life (KB/Sec) 0/0Outbound: #pkts enc'ed 0 drop 0 life (KB/Sec) 0/0Interface: Serial2/0.17Session status: UP-ACTIVEPeer: 10.1.1.5/500 fvrf: (none) ivrf: (none)Desc: (none)Phase1_id: 10.1.1.5IKE SA: local 10.1.1.5/500 remote 10.1.1.5/500 ActiveCapabilities:(none) connid:1 lifetime:00:59:51IPSEC FLOW: permit ip host 10.1.1.5 host 10.1.2.5Active SAs: 2, origin: dynamic crypto mapInbound: #pkts dec'ed 4 drop 0 life (KB/Sec) 20085/171Outbound: #pkts enc'ed 4 drop 0 life (KB/Sec) 20086/171Table 6 describes the significant fields shown in the display.
Table 6 show crypto isakmp peer Field Descriptions
Interface
Interface to which the crypto session is related.
Session status
Current status of the crypto (VPN) sessions. See Table 7 for the status of the IKE SA, IPSec SA, and tunnel as shown in the display.
IKE SA
Information is provided about the IKE SA, such as local and remote address and port, SA status, SA capabilities, crypto engine connection ID, and remaining lifetime of the IKE SA.
IPSEC FLOW
A snapshot of information about the IPSec-protected traffic flow, such as what the flow is (for example, permit ip host 10.1.1.5 host 10.1.2.5); how many IPSec SAs there are; the origin of the SA, such as manual keyed, dynamic, or static crypto map; the number of encrypted or decrypted packets or dropped packets; and the IPSec SA remaining lifetime in kilobytes per second.
Table 7 provides an explanation of the current status of the VPN sessions shown in the display.
Note
The following sample output shows all crypto sessions that are in the standby state:
Router# show crypto session standbyCrypto session current statusInterface: Ethernet0/0Session status: UP-STANDBYPeer: 209.165.200.225 port 500IKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 ActiveIKE SA: local 209.165.201.3/500 remote 209.165.200.225/500 ActiveIPSEC FLOW: permit ip host 192.168.0.1 host 172.16.0.1Active SAs: 4, origin: crypto mapRelated Commands
clear crypto session
Deletes crypto sessions (IPSec and IKE SAs).
description
Adds a description for an IKE peer.
show crypto isakmp peer
Displays peer descriptions.
show redundancy
To display current or historical status and related information on planned or logged handovers, use the show redundancy command in privileged EXEC mode.
show redundancy [clients | counters | debug-log | handover | history | states | inter-device]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Cisco AS5800: Use this command from the router-shelf console to determine when failover is enabled. Use this command with the history keyword to log failover events.
Cisco AS5850: To use this command, you must have two route-switch-controller (RSC) cards installed and you must be connected to one of them.
Examples
The following is sample output from the show redundancy handover and show redundancy states commands on a Cisco AS5850:
Router# show redundancy handoverNo busyout period specifiedHandover pending at 23:00:00 PDT Wed May 9 2001Router# show redundancy statesmy state = 14 -ACTIVE_EXTRALOADpeer state = 4 -STANDBY COLDMode = DuplexUnit = Preferred PrimaryUnit ID = 6Redundancy Mode = Handover-split: If one RSC fails, the peer RSC will take over the feature boardsMaintenance Mode = DisabledManual Swact = Disabled Reason: Progression in progressCommunications = Upclient count = 3client_notification_TMR = 30000 millisecondskeep_alive TMR = 4000 millisecondskeep_alive count = 1keep_alive threshold = 7RF debug mask = 0x0The following is sample output from the show redundancy command on a Cisco AS5800:
Router# show redundancyDSC in slot 12:Hub is in 'active' state.Clock is in 'active' state.DSC in slot 13:Hub is in 'backup' state.Clock is in 'backup' state.The following is sample output from the show redundancy history command on a Cisco AS5800:
Router# show redundancy historyDSC Redundancy Status Change History:981130 18:56 Slot 12 DSC: Hub, becoming active - RS instruction981130 19:03 Slot 12 DSC: Hub, becoming active - D13 orderThe following is sample output from two Cisco AS5800 router shelves configured as a failover pair. The active router shelf is initially RouterA. The show redundancy history and show redundancy commands have been issued. The show redundancy command shows that failover is enabled, shows the configured group number, and shows that this router shelf is the active one of the pair. Compare this output with that from the backup router shelf (RouterB) further below.
Note
show redundancy history command is issued after failover has occurred.Log from the First Router (RouterA)
RouterA# show redundancy historyDSC Redundancy Status Change History:010215 18:17 Slot -1 DSC:Failover configured -> ACTIVE role by default.010215 18:18 Slot -1 DSC:Failover -> BACKUP role.010215 18:18 Slot 12 DSC:Failover -> ACTIVE role.010215 18:18 Slot 12 DSC:Hub, becoming active - arb timeoutRouterA# show redundancyfailover mode enabled, failover group = 32Currently ACTIVE role.DSC in slot 12:Hub is in 'active' state.Clock is in 'active' state.No connection to slot 13RouterA# reloadProceed with reload? [confirm] y*Feb 15 20:19:11.059:%SYS-5-RELOAD:Reload requestedSystem Bootstrap, Version xxxCopyright xxx by cisco Systems, Inc.C7200 processor with 131072 Kbytes of main memoryLog from the Second Router (RouterB)
RouterB# show redundancyfailover mode enabled, failover group = 32Currently BACKUP role.No connection to slot 12DSC in slot 13:Hub is in 'backup' state.Clock is in 'backup' state.*Feb 16 03:24:53.931:%DSC_REDUNDANCY-3-BICLINK:Switching to DSC 13*Feb 16 03:24:53.931:%DSC_REDUNDANCY-3-BICLINK:Failover:changing to active mode*Feb 16 03:24:54.931:%DIAL13-3-MSG:02:32:06:%DSC_REDUNDANCY-3-EVENT:Redundancy event:LINK_FAIL from other DSC*Feb 16 03:24:55.491:%OIR-6-INSCARD:Card inserted in slot 12, interfaces administratively shut down*Feb 16 03:24:58.455:%DIAL13-3-MSG:02:32:09:%DSC_REDUNDANCY-3-EVENT:Redundancy event:LINK_FAIL from other DSC*Feb 16 03:25:04.939:%DIAL13-0-MSG:RouterB# show redundancyfailover mode enabled, failover group = 32Currently ACTIVE role.No connection to slot 12DSC in slot 13:Hub is in 'active' state.Clock is in 'backup' state.RouterB# show redundancy historyDSC Redundancy Status Change History:010216 03:09 Slot -1 DSC:Failover configured -> BACKUP role.010216 03:24 Slot 13 DSC:Failover -> ACTIVE role.010216 03:24 Slot 13 DSC:Hub, becoming active - D12 linkfail010216 03:24 Slot 13 DSC:Hub, becoming active - D12 linkfail*Feb 16 03:26:14.079:%DSIPPF-5-DS_HELLO:DSIP Hello from shelf 47 slot 1 Succeeded*Feb 16 03:26:14.255:%DSIPPF-5-DS_HELLO:DSIP Hello from shelf 47 slot 3 Succeeded*Feb 16 03:26:14.979:%DSIPPF-5-DS_HELLO:DSIP Hello from shelf 47 slot 10 SucceededRelated Commands
Copyright © 2004 Cisco Systems, Inc. All rights reserved.
