1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Gateway
  5. ASR 5000 Series 3G Home NodeB
  6. Administration manual

Redundant Ipsec Tunnel Fail-Over; Supported Standards - Cisco ASR 5000 Series 3G Home NodeB Administration Manual

3g home nodeb gateway
Hide thumbs
Table of Contents

Advertisement

▀ Redundant IPSec Tunnel Fail-Over

Redundant IPSec Tunnel Fail-Over
The Redundant IPSec Tunnel Fail-Over functionality is included with the IPSec feature license and allows the
configuration of a secondary ISAKMP crypto map-based IPSec tunnel over which traffic is routed in the event that the
primary ISAKMP crypto map-based tunnel cannot be used.
This feature introduces the concept of crypto (tunnel) groups when using IPSec tunnels for access to packet data
networks (PDNs). A crypto group consists of two configured ISAKMP crypto maps. Each crypto map defines the IPSec
policy for a tunnel. In the crypto group, one tunnel serves as the primary, the other as the secondary (redundant). Note
that the method in which the system determines to encrypt user data in an IPSec tunnel remains unchanged.
Group tunnels are perpetually maintained with IPSec Dead Peer Detection (DPD) packets exchanged with the peer
security gateway.
Important:
properly.
When the system determines that incoming user data traffic must be routed over one of the tunnels in a group, the
system automatically uses the primary tunnel until either the peer is unreachable (the IPSec DPD packets cease), or the
IPSec tunnel fails to re-key. If the primary peer becomes unreachable, the system automatically begins to switch user
traffic to the secondary tunnel. The system can be configured to either automatically switch user traffic back to the
primary tunnel once the corresponding peer security gateway is reachable and the tunnel is configured, or require
manual intervention to do so.
This functionality also supports the generation of Simple network Management Protocol (SNMP) notifications
indicating the following conditions:
 Primary Tunnel is down: A primary tunnel that was previously "up" is now "down" representing an error
condition.
 Primary Tunnel is up: A primary tunnel that was previously "down" is now "up".
 Secondary tunnel is down: A secondary tunnel that was previously "up" is now "down" representing an error
condition.
 Secondary Tunnel is up: A secondary tunnel that was previously "down" is now "up".
 Fail-over successful: The switchover of user traffic was successful. This is generated for both primary-to-
secondary and secondary-to-primary switchovers.
 Unsuccessful fail-over: An error occurred when switching user traffic from either the primary to secondary
tunnel or the secondary to primary tunnel.

Supported Standards

Support for the following standards and requests for comments (RFCs) has been added with the Redundant IPSec
Tunnel Fail-over functionality:
 RFC 3706, A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers, February 2004
▄ Cisco ASR 5000 Series 3G Home NodeB Gateway Administration Guide
176
The peer security gateway must support RFC 3706 in order for this functionality to function
IP Security
OL-25069-03

Advertisement

Table of Contents
loading

Related Manuals for Cisco ASR 5000 Series 3G Home NodeB

Related Content for Cisco ASR 5000 Series 3G Home NodeB

This manual is also suitable for:

Asr 5000 series

Table of Contents