300-730 · Question #67
Which redundancy protocol must be implemented for IPsec stateless failover to work?
The correct answer is C. HSRP. IPsec stateless failover requires HSRP to maintain a shared virtual IP address so that when the active peer fails, the standby peer takes ownership of that IP and clients can reconnect without reconfiguration.
Question
Options
- ASSO
- BGLBP
- CHSRP
- DVRRP
How the community answered
(45 responses)- A2% (1)
- B7% (3)
- C89% (40)
- D2% (1)
Why each option
IPsec stateless failover requires HSRP to maintain a shared virtual IP address so that when the active peer fails, the standby peer takes ownership of that IP and clients can reconnect without reconfiguration.
SSO (Stateful Switchover) is the underlying mechanism used for stateful failover where IKE and IPsec session state is replicated to the standby, not the redundancy protocol required for stateless failover.
GLBP distributes traffic across multiple active gateways using different virtual MAC addresses per member, which breaks the single-active model that IPsec stateless failover depends on for deterministic peer takeover.
HSRP creates a virtual IP and virtual MAC address shared between active and standby peers. With stateless IPsec failover, when the active device fails HSRP transitions the virtual IP to the standby, allowing clients to re-initiate connections to the same address - existing IPsec SAs are not preserved, so clients must renegotiate new security associations after failover.
VRRP is an open-standard protocol that functions similarly to HSRP, but Cisco's IPsec stateless failover feature is specifically integrated with HSRP on Cisco IOS and ASA platforms rather than VRRP.
Concept tested: IPsec stateless failover HSRP dependency
Source: https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_vpnav/configuration/xe-16/sec-vpn-availability-xe-16-book/sec-ipsec-ha-hsrp.html
Topics
Community Discussion
No community discussion yet for this question.