PrepAway - Latest Free Exam Questions & Answers

Which of the following statements is true regarding stateful failover for IPSec?

Which of the following statements is true regarding stateful failover for IPSec?

A. RRI cannot be used with stateful failover for IPSec.

B. HSRP cannot be used with stateful failover for IPSec.

C. The active and standby devices in a stateful failover configuration must be identical devices and must run identical IOS software versions.

D. Stateful failover transfers the crypto configuration from the active device to the standby device.

Explanation:
The active and standby devices in a stateful failover configuration must be identical devices and must run identical IOS software versions. With stateful failover for IP Security (IPSec), the active router synchronizes its IPSec and Internet Key Exchange (IKE) security associations (SAs) with the standby router. If the active router becomes unavailable, the role of active router is transferred to the standby router.

Hot Standby Router Protocol (HSRP) is required with stateful failover for IPSec. Stateful failover for IPSec works in conjunction with HSRP and stateful switchover (SSO) to ensure uninterrupted processing of IPSec data flows. HSRP monitors the interfaces on the active router and transfers the role of active router to the standby router if the active router becomes unavailable. Because the standby router’s IPSec and IKE SA information is in sync with the active router, service to existing IPSec data flows is not interrupted.

Reverse Route Injection (RRI) can be used with stateful failover for IPSec. RRI is a feature that enables a standby router to inject the routes from its routing table into the routing protocol on the local network when the standby router becomes the active router. This ensures that other routers on the local network will know the correct path to the current active router. RRI is necessary because the virtual IP (VIP) address of an HSRP group cannot advertise routing updates.

Stateful failover does not transfer the crypto configuration from the active device to the standby device. Because only the IPSec and IKE SA information is synchronized between routers, the active and standby routers must have identical IKE and IPSec configurations; otherwise, the failover will not be successful. In addition, any access control lists (ACLs); Authentication, Authorization, and Accounting (AAA) configurations; and local IP pools that are used in IPSec or IKE configurations must be duplicated as well.

Reference: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/15-mt/sec-vpn-availability-15-mt-book/sec-state-fail-ipsec.html


Leave a Reply