Manualshelf

Technical information

ManualsBrandsCisco ManualsComputer equipmentWS-SVC-IPSEC-1= - IPSec VPN Services Module
31323334353637383940
37
IPSec VPN Acceleration Services Module Installation and Configuration Note
78-14459-03 Rev C0
Configuring a VPN Using the VPN Module
For complete configuration information for Cisco IOS IPSec stateful failover support, refer to this URL:
http://www.cisco.com/en/US/products/sw/iosswrel/ps5012/products_feature_guide09186a0080116d4c.html
Follow these guidelines when configuring IPSec stateful failover:
When configuring an IPSec stateful failover with the VPN module, note that all VPN module
configuration rules apply. You must apply crypto maps to interface VLANs, and you must attach
interface VLANs to the VPN module inside port.
When configuring an IPSec stateful failover with a VPN module in two chassis, note that the
hardware configurations of both chassis must be exactly the same. For example, in one chassis if the
VPN module that is in slot 2 is used to protect interface VLAN 100 and the VPN module that is in
slot 3 is used to protect interface VLAN 101, the exact same configuration must be reflected in the
second chassis. An example of a misconfiguration would be if the VPN module in slot 3 of the
second chassis is used to protect interface VLAN 100.
Do not use an IPSec stateful failover with Easy-VPN clients or IKE keepalives. An IPSec stateful
failover may be used with peers when DPD is used.
Do not add nonexistent or inadequately configured HSRP standby groups to the state synchronization
protocol (SSP) configuration because this action disables high-availability features until the
configuration is corrected.
The recommended HSRP timer values are 1 second for hello timers and 3 seconds for hold timers.
These values should prevent an undesirable failover that is caused by temporary network congestion
or transient, high CPU loads.
These timer values can be adjusted upward if you are running high loads or have a large number of
HSRP groups. Temporary failures and load-related system stability can be positively affected by raising
the timer values as needed. The hello timer value should be approximately a third of the hold timer
value.
Use the HSRP “delay” timers to allow a device to finish booting/initializing/synchronizing before
participating as a high-availability pair. Set the “minimum” delay at 30 seconds or more to help
prevent active/standby flapping and set the “reload” delay at some value greater than the minimum.
You can use the delay timers to reflect the complexity and size of a particular configuration on
various hardware. The delay timers tend to vary from platform to platform.
Sequence number updates from active to standby have a 20-second minimum interval per SA.
Due to dependence on HSRP, an IPSec stateful failover does not work for secured WAN ports (IPSec
over FlexWAN module port adapters).
Use the reverse route injection (RRI) feature to allow dynamic routing information updates during
the HSRP and IPSec failover. For complete configuration information on RRI support, refer to
this URL:
http://www.cisco.com/en/US/partner/tech/tk583/tk372/technologies_tech_note09186a00800942f7.shtml
The following is a configuration example for the active chassis that is configured for an IPSec stateful
failover (at the end of this example, see the configuration example for the standby chassis):
Note These configuration examples do not protect the SSP traffic. To protect the SSP traffic, you will need to
define a new crypto map and attach it to the SSP interface without the “ssp” tag. The ACL for this crypto
map can be derived from the remote IP address and the TCP port that are defined in the SSP group.