Professional Documents
Culture Documents
Troubleshooting VPN in IOS HA Scenarios
Troubleshooting VPN in IOS HA Scenarios
HA scenarios
Edinson Ramirez M
TL CO VPN
Agenda
• HSRP Review (includes configuration and verification)- 40 minutes
• IPSEC stateful failover (includes configuration and verification) -20
minutes
• Troubleshooting IPSEC SSO - 45 minutes.
HSRP Review
• Hot Standby Router Protocol
• When HSRP is configured on a network or segment, it provides a virtual
Media Access Control (MAC) address and an IP address that is shared
among a group of configured routers.
• Cisco Proprietary
• Two roles: Active and Standby
• HSRP router with highest priority is considered “Active”.
• Default priority = 100
• MAC address: 0000.0c07.acxx. Where xx refers to the group number in
hexadecimal
• Preemption disabled by default
HSRP Versions
• HSRPv1—Version 1 of the HSRP, the default version of HSRP. It has these
features:
– The HSRP group number can be from 0 to 255.
– HSRPv1 uses the multicast address 224.0.0.2 (UDP port 1985) to send hello
packets.
HSRPv2 has a different packet format than HRSPv1. They are not interoperable.
HSRP Packet format
OP Code: The Op Code describes the type of message that the packet contains. Possible values are: 0 - hello, 1 -
coup, and 2 - resign.
Hello: Hello messages are sent to indicate that a router runs HSRP and is able to become the active router.
Coup: Coup messages are sent when a router wishes to become the active router.
Resign: Resign messages are sent when a router no longer wishes to be the active router.
These are details on the individual states: 0 - initial, 1 - learn, 2 - listen, 4 - speak, 8 - standby, and 16 - active.
HSRP Router Communication
- Routers that run HSRP communicate HSRP information between each other
through HSRP hello packets.
- These packets are sent to the destination IP multicast address 224.0.0.2 on
User Datagram Protocol (UDP) port 1985 (HSRPv1).
- IP multicast address 224.0.0.2 is a reserved multicast address that is used
to communicate to all routers.
- The active router sources hello packets from its configured IP address and
the HSRP virtual MAC address. The standby router sources hellos from its
configured IP address and the burned-in MAC address (BIA).
- This use of source addressing is necessary so that HSRP routers can
correctly identify each other.
HSRP Router Communication
• S ession keys
S
Note: Each time an active device relinquishes control to become the standby device,
the active device will reload. This functionality ensures that the state of the new
standby device synchronizes correctly with the new active device.
IPSEC stateful failover with SSO configuration
tasks
1. Enable HSRP
2. Enable SSO (stateful switch over)
2.1 Enable the inter-device redundancy protocol
2.2 Define Inter-process Communication (IPC) association
2.3 Define the local and remote end points of the SCTP connection
3. Copy the same config in the standby router
4. Reload both devices
5. Enable stateful failover for IPSEC
HSRP Configuration for IPSEC stateful failover
interface Ethernet0/0
ip address 209.165.201.1 255.255.255.224
standby 1 ip 209.165.201.3
standby 1 preempt
standby 1 name HA-out
Standby 1 timer 1 5 Note: For the best stability, it is recommended that you set the hold time
between 5 and 10 times the hello interval time; otherwise, a failover could falsely occur when
no actual failure has happened.
standby 1 track Ethernet1/0 Note: Track of the private interface
standby delay reload 120 Note: It is suggested to leave the min-delay argument at
the preconfigured default value.
Stateful Switch Over
• SSO is a method of providing redundancy and synchronization for many Cisco IOS applications and features. SSO is
necessary for IPsec and IKE to learn about the redundancy state of the network and to synchronize their internal
application state with their redundant peers.
• We enable the inter-device redundancy protocol
redundancy inter-device
scheme standby <standby group name>
exit
Upon configuring inter-device redundancy, you may receive this notice on one of the routers:
This simply indicates that this is the standby HSRP router. The router will need to be reloaded before the redundancy
scheme configuration can take effect.
Stateful SwitchOver
• We define an Inter-process Communication (IPC) association. We will start by
creating a new association to define the redundancy relationship between R1 and
R2:
local-port local-port-number ! Valid numbers are 1-65535. There is no default port, but it should match the port on peer.
retransmit-timeout retran-min [msec] retra-max [msec] ! Interval in msec it will wait to retransmit data. Suggested 300-10000
path-retransmit max-path-retries ! Number of retransmition before failing a path within an association. Suggested 10
exit
remote-port remote-port-number
no shutdown
end
Enabling Stateful Failover for IPsec
For Crypto Maps For tunnel protection
1. enable 1. enable
2. configure terminal
2. configure terminal
3. crypto ipsec profile name
3. interface type number
4. redundancy standby-group-name stateful
4. crypto map map-name [redundancy
standby-group-name [stateful]] 5. exit
protocol sctp match identity address 50.50.50.2 255.255.255.255 standby 1 track 2 decrement 10
local-port 5000 crypto isakmp profile Tunnel-to-Site3! crypto map mymap redundancy HQ-WAN stateful
remote-port 5000 crypto ipsec transform-set ESP-AES256-SHA-256 esp-aes 256 esp-sha256-hmac ip nat inside
! ! standby 0 ip 10.0.0.254
track 1 interface Ethernet0/0 line-protocol set transform-set ESP-AES256-SHA-256 standby 0 name HQ-LAN
crypto keyring tunnel-to-site-2 set peer 100.100.100.2 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
pre-shared-key address 50.50.50.2 key cisco set transform-set ESP-AES256-SHA-256 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
pre-shared-key address 100.100.100.2 key cisco ! permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
association 1 crypto isakmp profile Tunnel-to-Site2 standby 1 authentication md5 key-string cisco
local-port 5000 match identity address 50.50.50.2 255.255.255.255 crypto map mymap redundancy HQ-WAN stateful
remote-ip 200.200.200.1 crypto ipsec transform-set ESP-AES256-SHA-256 esp-aes 256 esp-sha256-hmac ip virtual-reassembly in
track 1 interface Ethernet0/0 line-protocol set transform-set ESP-AES256-SHA-256 standby 0 name HQ-LAN
crypto keyring tunnel-to-site-2 set peer 100.100.100.2 permit ip 10.0.0.0 0.0.0.255 172.16.0.0 0.0.0.255
pre-shared-key address 50.50.50.2 key cisco set transform-set ESP-AES256-SHA-256 permit ip 192.168.0.0 0.0.0.255 172.16.0.0 0.0.0.255
pre-shared-key address 100.100.100.2 key cisco ! permit ip 10.0.0.0 0.0.0.255 192.168.0.0 0.0.0.255
• *May 11 13:33:21.424: ISAKMP:(0): SA request profile is (NULL) • *May 11 13:33:21.430: ISAKMP:(0): processing vendor id payload
• *May 11 13:33:21.424: ISAKMP: Created a peer struct for 50.50.50.2, peer port 500 • *May 11 13:33:21.430: ISAKMP:(0): vendor ID seems Unity/DPD but major 123 mismatch
• *May 11 13:33:21.424: ISAKMP: New peer created peer = 0xC30A3F68 peer_handle = 0x80000004 • *May 11 13:33:21.430: ISAKMP:(0): vendor ID is NAT-T v2
• *May 11 13:33:21.424: ISAKMP: Locking peer struct 0xC30A3F68, refcount 1 for isakmp_initiator • *May 11 13:33:21.430: ISAKMP:(0):No pre-shared key with 200.200.200.1!
• *May 11 13:33:21.424: ISAKMP: local port 500, remote port 500 • *May 11 13:33:21.430: ISAKMP : Scanning profiles for xauth ...
• *May 11 13:33:21.424: ISAKMP: set new node 0 to QM_IDLE • *May 11 13:33:21.430: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
• *May 11 13:33:21.424: ISAKMP: Find a dup sa in the avl tree during calling isadb_insert sa = C38DCBF0 • *May 11 13:33:21.430: ISAKMP: encryption AES-CBC
• *May 11 13:33:21.424: ISAKMP:(0):Can not start Aggressive mode, trying Main mode. • *May 11 13:33:21.430: ISAKMP: keylength of 256
• *May 11 13:33:21.424: ISAKMP:(0):found peer pre-shared key matching 50.50.50.2 • *May 11 13:33:21.430: ISAKMP: hash SHA256
• *May 11 13:33:21.424: ISAKMP:(0): constructed NAT-T vendor-rfc3947 ID • *May 11 13:33:21.430: ISAKMP: default group 5
• *May 11 13:33:21.424: ISAKMP:(0): constructed NAT-T vendor-07 ID • *May 11 13:33:21.430: ISAKMP: auth pre-share
• *May 11 13:33:21.424: ISAKMP:(0): constructed NAT-T vendor-03 ID • *May 11 13:33:21.430: ISAKMP: life type in seconds
• *May 11 13:33:21.424: ISAKMP:(0): constructed NAT-T vendor-02 ID • *May 11 13:33:21.430: ISAKMP: life duration (basic) of 600
• *May 11 13:33:21.424: ISAKMP:(0):Input = IKE_MESG_FROM_IPSEC, IKE_SA_REQ_MM • *May 11 13:33:21.430: ISAKMP:(0):Preshared authentication offered but does not match policy!
• *May 11 13:33:21.424: ISAKMP:(0):Old State = IKE_READY New State = IKE_I_MM1 • *May 11 13:33:21.430: ISAKMP:(0):atts are not acceptable. Next payload is 0
• *May 11 13:33:21.424: ISAKMP:(0): beginning Main Mode exchange • *May 11 13:33:21.430: ISAKMP:(0): phase 1 SA policy not acceptable! (local 50.50.50.2 remote 200.200.200.1)
• *May 11 13:33:21.424: ISAKMP:(0): sending packet to 50.50.50.2 my_port 500 peer_port 500 (I) MM_NO_STATE • *May 11 13:33:21.430: ISAKMP (0): incrementing error counter on sa, attempt 1 of 5: construct_fail_ag_init
• *May 11 13:33:21.424: ISAKMP:(0):Sending an IKE IPv4 Packet. • *May 11 13:33:21.430: ISAKMP:(0): Failed to construct AG informational message.
• *May 11 13:33:21.435: ISAKMP (0): received packet from 50.50.50.2 dport 500 sport 500 Global (I) MM_NO_STATE • *May 11 13:33:21.430: ISAKMP:(0): sending packet to 200.200.200.1 my_port 500 peer_port 500 (R) MM_NO_STATE
• *May 11 13:33:21.435: ISAKMP:(0):Notify has no hash. Rejected. • *May 11 13:33:21.430: ISAKMP:(0):Sending an IKE IPv4 Packet.
• *May 11 13:59:11.568: ISAKMP: Created a peer struct for 50.50.50.2, peer port 500 • *May 11 13:59:11.561: ISAKMP:(0): sending packet to 200.200.200.254 my_port 500 peer_port 500 (I) MM_NO_STATE
• *May 11 13:59:11.568: ISAKMP: New peer created peer = 0xC4CA8750 peer_handle = 0x80000005 • *May 11 13:59:11.561: ISAKMP:(0):Sending an IKE IPv4 Packet.
• *May 11 13:59:11.568: ISAKMP:(0):found peer pre-shared key matching 50.50.50.2 • *May 11 13:59:11.573: ISAKMP (0): received packet from 200.200.200.254 dport 500 sport 500 Global (I)
MM_NO_STATE
• *May 11 13:59:11.568: ISAKMP:(0): local preshared key found
• *May 11 13:59:11.573: ISAKMP:(0):found peer pre-shared key matching 200.200.200.254
• *May 11 13:59:11.568: ISAKMP : Scanning profiles for xauth ...
• *May 11 13:59:11.573: ISAKMP:(0): local preshared key found
• *May 11 13:59:11.568: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
• *May 11 13:59:11.573: ISAKMP : Scanning profiles for xauth ...
• *May 11 13:59:11.568: ISAKMP: encryption AES-CBC
• *May 11 13:59:11.573: ISAKMP:(0):Checking ISAKMP transform 1 against priority 10 policy
• *May 11 13:59:11.568: ISAKMP: keylength of 256
• *May 11 13:59:11.573: ISAKMP: encryption AES-CBC
• *May 11 13:59:11.568: ISAKMP: hash SHA256
• *May 11 13:59:11.573: ISAKMP: keylength of 256
• *May 11 13:59:11.568: ISAKMP: default group 5
• *May 11 13:59:11.573: ISAKMP: hash SHA256
• *May 11 13:59:11.568: ISAKMP: auth pre-share
• *May 11 13:59:11.573: ISAKMP: default group 5
• *May 11 13:59:11.568: ISAKMP: life type in seconds
• *May 11 13:59:11.573: ISAKMP: auth pre-share
• *May 11 13:59:11.568: ISAKMP: life duration (basic) of 600
• *May 11 13:59:11.573: ISAKMP: life type in seconds
• *May 11 13:59:11.568: ISAKMP:(0):atts are acceptable. Next payload is 0
• *May 11 13:59:11.573: ISAKMP: life duration (basic) of 600
• *May 11 13:59:11.568: ISAKMP:(0):Acceptable atts:actual life: 600
• *May 11 13:59:11.573: ISAKMP:(0):atts are acceptable. Next payload is 0
• *May 11 13:59:11.568: ISAKMP:(0):Acceptable atts:life: 0
• *May 11 13:59:11.573: ISAKMP:(0):Acceptable atts:actual life: 0
• *May 11 13:59:11.568: ISAKMP:(0):Basic life_in_seconds:600
• *May 11 13:59:11.573: ISAKMP:(0):Acceptable atts:life: 0
• *May 11 13:59:11.568: ISAKMP:(0):Returning Actual lifetime: 600
• *May 11 13:59:11.573: ISAKMP:(0):Basic life_in_seconds:600
• *May 11 13:59:11.568: ISAKMP:(0)::Started lifetime timer: 600.
• *May 11 13:59:11.573: ISAKMP:(0):Returning Actual lifetime: 600