Cisco Cisco Packet Data Gateway (PDG) Fehlerbehebungsanleitung
IP Security
Redundant IPSec Tunnel Fail-Over ▀
Cisco ASR 5000 Series Enhanced Feature Configuration Guide ▄
OL-22982-01
Redundant IPSec Tunnel Fail-Over
The Redundant IPSec Tunnel Fail-Over functionality is included with the IPSec feature license and allows the
configuration of a secondary ISAKMP crypto map-based IPSec tunnel over which traffic is routed in the event that the
primary ISAKMP crypto map-based tunnel cannot be used.
configuration of a secondary ISAKMP crypto map-based IPSec tunnel over which traffic is routed in the event that the
primary ISAKMP crypto map-based tunnel cannot be used.
This feature introduces the concept of crypto (tunnel) groups when using IPSec tunnels for access to packet data
networks (PDNs). A crypto group consists of two configured ISAKMP crypto maps. Each crypto map defines the IPSec
policy for a tunnel. In the crypto group, one tunnel serves as the primary, the other as the secondary (redundant). Note
that the method in which the system determines to encrypt user data in an IPSec tunnel remains unchanged.
networks (PDNs). A crypto group consists of two configured ISAKMP crypto maps. Each crypto map defines the IPSec
policy for a tunnel. In the crypto group, one tunnel serves as the primary, the other as the secondary (redundant). Note
that the method in which the system determines to encrypt user data in an IPSec tunnel remains unchanged.
Group tunnels are perpetually maintained with IPSec Dead Peer Detection (DPD) packets exchanged with the peer
security gateway.
security gateway.
Important:
The peer security gateway must support RFC 3706 in order for this functionality to function properly.
When the system determines that incoming user data traffic must be routed over one of the tunnels in a group, the
system automatically uses the primary tunnel until either the peer is unreachable (the IPSec DPD packets cease), or the
IPSec tunnel fails to re-key. If the primary peer becomes unreachable, the system automatically begins to switch user
traffic to the secondary tunnel.
system automatically uses the primary tunnel until either the peer is unreachable (the IPSec DPD packets cease), or the
IPSec tunnel fails to re-key. If the primary peer becomes unreachable, the system automatically begins to switch user
traffic to the secondary tunnel.
The system can be configured to either automatically switch user traffic back to the primary tunnel once the
corresponding peer security gateway is reachable and the tunnel is configured, or require manual intervention to do so.
corresponding peer security gateway is reachable and the tunnel is configured, or require manual intervention to do so.
This functionality also supports the generation of Simple network Management Protocol (SNMP) notifications
indicating the following conditions:
indicating the following conditions:
Primary Tunnel is down: A primary tunnel that was previously "up" is now "down" representing an error
condition.
Primary Tunnel is up: A primary tunnel that was previously "down" is now "up".
Secondary tunnel is down: A secondary tunnel that was previously "up" is now "down" representing an error
condition.
Secondary Tunnel is up: A secondary tunnel that was previously "down" is now "up".
Fail-over successful: The switchover of user traffic was successful. This is generated for both primary-to-
secondary and secondary-to-primary switchovers.
Unsuccessful fail-over: An error occurred when switching user traffic from either the primary to secondary
tunnel or the secondary to primary tunnel.
Supported Standards
Support for the following standards and requests for comments (RFCs) has been added with the Redundant IPSec
Tunnel Fail-over functionality:
Tunnel Fail-over functionality:
RFC 3706, A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers, February 2004