The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The L2TP HA Session SSO/ISSU on a LAC/LNS feature provides a generic stateful switchover/In Service Software Upgrade (SSO/ISSU) mechanism for Layer 2 Tunneling Protocol (L2TP) on a Layer 2 Access Concentrator (LAC) and a Layer 2 Network Server (LNS). This feature preserves all fully established PPP and L2TP sessions during an SSO switchover or an ISSU upgrade or downgrade.
Your software release may not support all the features documented in this module. For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the Feature Information Table at the end of this document.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Development of the stateful switchover (SSO) feature is an incremental step within an overall program to improve the availability of networks constructed with Cisco IOS routers.
In specific Cisco networking devices that support dual RPs, stateful switchover takes advantage of RP redundancy to increase network availability. The feature establishes one of the RPs as the active processor and designating the other RP as the standby processor, and then synchronizing critical state information between them. Following an initial synchronization between the two processors, SSO dynamically maintains RP state information between them.
A switchover from the active to the standby processor occurs when the active RP fails, is removed from the networking device, or is manually taken down for maintenance.
SSO is particularly useful at the network edge. Traditionally, core routers protect against network faults using router redundancy and mesh connections that allow traffic to bypass failed network elements. SSO provides protection for network edge devices with dual RPs that represent a single point of failure in the network design, and where an outage might result in loss of service for customers.
Note |
If a new L2TP session request is received on a tunnel that is in the resync phase after switchover, it is rejected. A new Cisco vendor-specific disconnect cause code (611) provides the reason for this session disconnect. The show vpdn history failure command displays the Failure Type field as Tunnel in HA resync . |
SSO is always checkpointing or saving and resynchronizing client-specific state data that transfers to a peer client on a remote RP for HA switchover and on the local RP for ION restart. Once a valid checkpointing session is established, the checkpointed state data is established without error.
This section describes the affects on L2TP when performing an ISSU superpackage or subpackage software upgrade or downgrade on a Cisco ASR 1000 Series Router. During the ISSU operation of software upgrades and downgrades, there can be control traffic interruption in some scenarios of ISSU, causing the L2TP resynchronization operation (with L2TP silent switchover) to fail, resulting in a loss of an L2TP tunnel or session.
In general, there is no effect on the data traffic while performing an ISSU superpackage or subpackage software upgrade or downgrade. Data traffic interruptions are contained within a managed and expected operating set. For example, when you upgrade the software for a given spa, the software upgrade only affects the data traffic serviced by that spa; the remaining network continues to operate normally.
When you are configuring a superpackage software upgrade or downgrade, L2TP sessions and tunnels might be lost. To help mitigate any potential loss of L2TP tunnels or sessions, use a rolling-upgrade method to help minimize any L2TP tunnel or session outages.
Note |
You can help minimize any tunnel or session outage as seen by the IP layer, by either configuring a backup interface for IP routing or an Ether-channel interface towards the L2TP peer. |
For the Cisco ASR 1000 Series Routers, it is important to realize that ISSU-compatibility depends on the software sub-package being upgraded and the hardware configuration. Consolidated packages are ISSU-compatible in dual RP configurations only and have other limitations. The SPA and SIP software sub-packages must be upgraded on a per-SPA or per-SIP basis.
If you are upgrading a software package on the Cisco ASR 1000 Series Router that requires a reload of the standby Route Processor (RP), you must manually initiate a upgrade of the standby FP, SPA and SIP software with the same version of software provisioned on the new active RP following the switchover, to prevent any reload when the standby RP takes over as the new active RP.
When configuring L2TP HA Session SSO/ISSU on a LAC/LNS, Cisco IOS software internally adjusts the L2TP receive window size to a smaller value. This adjusted receive-window value displays when using the show vpdn tunnel detail command. If required, use the l2tp tunnel resync command to increase the size of the L2TP receive window.
You can configure L2TP HA globally using the l2tp sso enable command. You can also configure L2TP HA sessions for a specific VPDN group by using the sso enable command in VPDN group configuration mode. Both global and VPDN group L2TP HA sessions are enabled, by default. You must configure both the l2tp sso enable command and the sso enable command for VPDN groups for protocol L2TP to execute L2TP HA session functionality.
Global and VPDN group-specific L2TP HA sessions are hidden from the output of the show running-config command, because they are enabled by default. If you use the no l2tp sso enable command, the HA commands will display as NVGEN and appear in the output of the show running-config command.
After an SSO switchover, L2TP HA sessions determines the sequence numbers used by L2TP peers. Determining sequence numbers can be time consuming if peers send a large number of unacknowledged messages. You can use the l2tp tunnel resync command to control the number of unacknowledged messages sent by a peer. Increasing the value of the number of packets can improve the session setup rate for L2TP HA tunnels with a large number of sessions.
Cisco series Internet routers operate in SSO mode by default after reloading the same version of SSO-aware images on the device.
Before you can use SSO, use must enable SSO on an RP. This task explains how to use the redundancy command to enable SSO on an RP. This task ensures that all redundancy session data, following a SSO, is used to re-create and reestablishes existing sessions to their peer connections.
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
Example: Router# configure terminal |
Enters global configuration mode. |
|
Example: Router(config)# redundancy |
Enters redundancy configuration mode. |
|
Example: Router(config-red)# mode sso |
Specifies the mode of redundancy. |
|
Example: Router(config-red)# end |
Returns to privileged EXEC mode. |
Cisco series Internet routers operate in L2TP HA SSO mode by default after reloading the same version of SSO-aware images on the device. No configuration is necessary to enable L2TP HA SSO sessions.
This procedure shows how to use the l2tp sso enable command to enable or disable HA globally. The l2tp sso enable command is enabled by default.
Perform this task when configuring a VPDN group or a VPDN template for L2TP HA SSO. This configuration example provides recommended scaling parameters to use when the number of VPDN tunnels in use is high, such as 8000 tunnels, with each tunnel supporting only a few VPDN sessions (two or less).
Conversely, if the number of VPDN tunnels is low and the number of VPDN sessions per VPDN tunnel is high, use the l2tp tunnel resync command to increase the resynchronization value. For example, if the number of VPDN session per VPDN tunnel are in the hundreds, use the l2tp tunnel resync command to increase the resynchronization value to a matching value in the hundreds.
Beginning with Cisco IOS XE Release 2.3, you can set the retransmit retries and timeout values to default values.
For HA functionality for a VPDN group, both the l2tp sso enable and sso enable commands must be enabled (default). If either command is disabled, no HA functionality is available for the VPDN group.
After a SSO switchover, L2TP HA determines the sequence numbers used by L2TP peers. Determining sequence numbers can be time consuming, if peers send a large number of unacknowledged messages. You can use the l2tp tunnel resync command to control the number of unacknowledged messages sent by a peer. Increasing the value of the number of packets can improve the session setup rate for L2TP HA tunnels with a large number of sessions.
You can use the show l2tp redundancy command to display the time taken to resynchronize with the peer L2TP node.
This procedure shows how to use the l2tp tunnel resync command, in VPDN-group configuration mode, to control the number of packets a L2TP HA tunnel sends before waiting for an acknowledgement.
The show l2tp redundancy command provides information regarding the global state of the L2TP or specific L2TP sessions, with regard to their checkpointing status. You can display detailed information on:
The L2TP HA protocol state information for tunnels configured for HA (HA-enabled) and HA tunnels established successfully (HA-established) should match on the active and standby RP, unless there is a failure.
The output of the show l2tp redundancy command on the standby RP does not display total counter values or values for L2TP resynchronized tunnels. Total counter values would include non-HA protected tunnels and sessions, and these are not present on the standby RP.
To display global L2TP or specific L2TP sessions having checkpoint status, follow this procedure.
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
Example: Router# show l2tp redundancy all |
Display the status of L2TP session with redundancy data. |
|
Example: Router# exit |
Exits privileged EXEC mode. |
There is extensive troubleshooting for L2TP or VPDN redundancy sessions. For example, if the standby RP does not initialize, the show l2tp redundancy command displays a warning message and will display no tunnel or session information.
Router# show l2tp redundancy
L2TP HA support: Silent Failover
L2TP HA Status:
Checkpoint Messaging on: FALSE
Standby RP is up: TRUE
Recv'd Message Count: 0
No HA CC of Session data to display until Standby RP is up.
You can use the debug l2tp redundancy or debug vpdn redundancy commands to display debug information relating to L2TP- or VPDN-checkpointing events or errors. Debug information includes:
To debug an L2TP or VPDN session having redundancy event errors, follow this procedure.
Command or Action | Purpose | |
---|---|---|
|
Example: Router> enable |
Enables privileged EXEC mode.
|
|
Example: Router# debug vpdn redundancy cf |
Displays debug information for VPDN session with redundancy data. |
|
Example: Router# exit |
Exits privileged EXEC mode. |
You can configure L2TP HA SSO/ISSU on a RADIUS server, using the following RADIUS attribute-value (AV) pair:
cisco:cisco-avpair="vpdn:l2tp-silent-switchover=1"
You can configure the L2TP HA SSO/ISSU resynchronous parameter on a RADIUS server, using the following RADIUS AV pair:
cisco:cisco-avpair="vpdn:l2tp-tunnel-resync-packet=<num>"
This example shows how to configure SSO on a route processor:
Router# configure terminal Router(config)# redundancy Router (config-red)# mode sso Router (config-red)# end
This example shows how to configure L2TP SSO:
Router# configure terminal Router(config)# l2tp sso enable Router (config-red)# end
The following example shows an L2TP redundancy information request:
Router# show l2tp redundancy
L2TP HA support: Silent Failover
L2TP HA Status:
Checkpoint Messaging on: TRUE
Standby RP is up: TRUE
Recv'd Message Count: 189
L2TP Tunnels: 2/2/2/0 (total/HA-enabled/HA-est/resync)
L2TP Sessions: 20/20/20 (total/HA-enabled/HA-est)
L2TP Resynced Tunnels: 2/0 (success/fail)
Resync duration 0.63 secs (complete)
The following example shows an L2TP redundancy detail information request:
Router# show l2tp redundancy detail id 44233 2
Local session ID : 2
Remote session ID : 2
Local CC ID : 44233
Local UDP port : 1701
Remote UDP port : 1701
Waiting for VPDN application : No
Waiting for L2TP protocol : No
The following example shows an L2TP redundancy all-information request:
Router# show l2tp redundancy all
L2TP HA support: Silent Failover
L2TP HA Status:
Checkpoint Messaging on: FALSE
Standby RP is up: TRUE
Recv'd Message Count: 0
L2TP Active Tunnels: 1/1/0 (total/HA-enabled/resync)
L2TP Active Sessions: 1/1 (total/HA-enabled)
L2TP Resynced Tunnels: 1/0 (success/fail)
L2TP HA CC Check Point Status:
State LocID RemID Remote Name Class/Group Num. Sessions
est 33003 26355 LAC-1 1 1
L2TP HA Session Status:
LocID RemID TunID Waiting for Waiting for
VPDN app? L2TP proto?
28017 10 33003 No No
The following example shows how to limit the information displayed by providing a tunnel ID:
Router# show l2tp redundancy id 33003
L2TP HA Session Status:
LocID RemID TunID Waiting for Waiting for
VPDN app? L2TP proto?
2 2 33003 No No
The following example shows how to limit the information displayed by providing a session ID:
Router# show l2tp redundancy detail id 33003 3
Local session ID : 3
Remote session ID : 3
Local CC ID : 33003
Local UDP port : 1701
Remote UDP port : 1701
Waiting for VPDN application : No
Waiting for L2TP protocol : No
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
VPDN commands |
Cisco IOS VPDN Command Reference |
Layer 2 Tunnel Protocol |
Layer 2 Tunnel Protocol Technology Brief |
Stateful switchover and high availability |
Configuring Stateful Switchover module |
ISSU on Cisco ASR 1000 Series Routers |
http://www.cisco.com/en/US/docs/routers/asr1000/configuration/guide/chassis/issu.html |
VPDN technology overview |
VPDN Technology Overview module |
Standard |
Title |
---|---|
None |
-- |
MIB |
MIBs Link |
---|---|
None |
To locate and download MIBs for selected platforms, Cisco software releases, and feature sets, use Cisco MIB Locator found at the following URL: |
RFC |
Title |
---|---|
RFC 2661 |
Layer 2 Tunneling Protocol (L2TP) |
RFC 4591 |
Fail Over for Layer 2 Tunneling Protocol (L2TP) |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Table 1 | Feature Information for L2TP HA Session SSO/ISSU on a LAC/LNS |
Feature Name |
Releases |
Feature Information |
---|---|---|
L2TP HA Session SSO/ISSU on a LAC/LNS |
Cisco IOS XE Release 2.2 Cisco IOS XE Release 2.3 Cisco IOS XE Release 2.4 |
Provides a generic SSO/ISSU mechanism for Layer 2 Tunneling Protocol (L2TP) on a LAC and a LNS. This feature was introduced on the Cisco ASR 1000 Series Routers. The following commands were introduced by this feature: debug l2tp redundancy, debug vpdn redundancy, l2tp sso enable, l2tp tunnel resync, show l2tp redundancy, show vpdn redundancy, sso enable. In 2.3, support was added for scaling parameters for VPDN groups and templates. In 2.4, support was added for support for Multihop VPDN for VPDN tunnels and sessions. |
Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks. Third party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1005R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.