Примечания к выпуску для Cisco Cisco IOS Software Release 12.2(11)YX
8
Release Notes for the Cisco 7200 Series for Cisco IOS Release 12.2(11)YX1
OL-3617-02
Sample Configuration
•
Symptom: The remote router receives ike new sa packet when the standby router comes up from
reload. The remote router receive another ike new sa packet when the standby router is reloaded.
This is a regression bug.
reload. The remote router receive another ike new sa packet when the standby router is reloaded.
This is a regression bug.
Conditions:
1.
Load HA routers with ddukes-special April 24 image.
2.
Configure HA with GRE and wait for SA's and routes to settle.
3.
Reload the Standby router and as it comes up, the Remote will receive an NewSA IKE packet.
Workaround: None.
Sample Configuration
The configuration for IPSec Stateful Failover builds on the standard Stateful Failover configuration, but
with the addition of a tunnel interface for each GRE endpoint, as shown in
with the addition of a tunnel interface for each GRE endpoint, as shown in
1.
The crypto parameters on the Stateful Failover Pair must be the same for:
–
isakmp policy (encryption, authentication, hash, lifetime, group)
–
isakmp key (shared secret with remote peer)
–
ipsec security-association lifetimes
–
ipsec transform set
2.
Crypto map has to be applied to BOTH the tunnel and physical interface. To get traffic to go to the
Tunnel interface there should be a route to the Tunnel IP address from the crypto peer.
Tunnel interface there should be a route to the Tunnel IP address from the crypto peer.
3.
SSP group can be configured with up to 32 redundancy groups, (with 32 Virtual IP Addresses).
4.
There must be an access-list for the gre traffic with the VIP as one of the endpoints.
Following is a sample configuration which uses multiple redundancy groups, and multiple GRE tunnels.
Note that this isn't necessarily a realistic deployment, but was used in the lab to illustrate the failover of
multiple redundancy groups with multiple GRE tunnels. Ethernet sub-interfaces were used to simulate
multiple VIPs.
Note that this isn't necessarily a realistic deployment, but was used in the lab to illustrate the failover of
multiple redundancy groups with multiple GRE tunnels. Ethernet sub-interfaces were used to simulate
multiple VIPs.
Note that the other redundant router would have the same configuration except that the physical IP
addresses will be different, and the SSP remote address will be pointing to the physical IP address of the
private interface of the SSP peer.
addresses will be different, and the SSP remote address will be pointing to the physical IP address of the
private interface of the SSP peer.
Head-end router:
ip cef
!
ssp group 100
remote 40.0.0.5
redundancy GRE_1
redundancy GRE_2
Note: 20.i.j.1 addresses are the remote peers
!
crypto isakmp policy 1
encr 3des
authentication pre-share
crypto isakmp key gre1 address 20.1.1.1
crypto isakmp key gre2 address 20.1.2.1