Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
238
Views
1
Helpful
3
Replies

Site-to-Site IPSec with VTI - Initial delay up to 60 seconds

Plamen Mladenov
Level 1
Level 1

‎04-18-2024 03:23 PM

Hello,

I have an IKEv2 Site-to-Site IPSec tunnel (VTI with static routing) between ASA firewall and 2 stateless HA routers configured with HSRP (IPSec end point is HSRP VIP hosted on the HSRP active router).

Despite the fact it is not stateful (not supported on ASR1K devices....), setup is working relatively good - in case of failure in the active ASR1K router, IPSec tunnel is re-established by the other router (new phas1/2 /SAs negotiation, etc).

However it takes between 20-60 seconds for end to end connectivity to recover in case of active ASR1K failure and I'm trying to reduce that recovery time. I know, ideally it should be using a platform supporting stateful HA like another pair of HA firewalls, or there should be 2 separated tunnels and using some kind of dynamic routing, but that's not my case. 

20 seconds is the IPSec failure detection (min DPD I'm able to configure - minimum R-U-There interval is 10s and minimum retries are 2), but my bigger concern is - once the standby ASR1K takes over (its Standby HSRP becomes Active, hsrp timers are in milliseconds) it doesn't try to initiate IPSec immediately. Actually it takes up to 60 seconds to start initiating the new IPSec tunnel with the ASA. With "debug crypto ipsec message" on the new HSRP active router I've noticed the following:

[] -> [ACL automatic]: message ACL for always up maps
[ACL automatic]: message = ACL for always up maps
[ACL automatic] -> [ACL automatic]: delayed (60000 msec) message ACL for always up maps

These debug messages are repeating every 60 seconds and depending when the failure happens it can take between 0-60 seconds for the router to start sending IKEv2 packets. Does anyone know if this 60000 msec interval is configurable somewhere or can it be bypassed somehow?

Regards,

Plamen

 

 

Labels:
3 Replies 3

MHM Cisco World
VIP
VIP

‎04-18-2024 11:57 PM

Share config of asa and two ASR

MHM

0 Helpful

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎04-26-2024 12:09 PM

still waiting 

MHM

0 Helpful

tvotna
Spotlight
Spotlight

‎04-19-2024 08:48 AM

An "always up map" is an "always-up" crypto map which is created for SVTI when tunnel protection is applied. Check "show crypto map" and "show crypto sockets". Such a map brings up IKE SA automatically without "interesting" traffic. The debug messages you see probably pertain to communications between PI (platform-independent) and PD (platform-dependent) code on ASR1k. Some process wakes up every 60 sec, checks if the router is HSRP active and sleeps again if it is not. When the router becomes active, crypto socket is opened, control plane code establishes IKE SA, line protocol state of the tunnel interface goes up and PD is programmed.

As an idea compare "show crypto ruleset platform" on active and standby.

Anyway, it is not possible to control this behavior and you'll probably need TAC support to dig deeper.

 

0 Helpful
Customers Also Viewed These Support Documents