Configuring Peer Resynchronization
The JUNOSe software enables you to configure the peer resynchronization method you want the router to use. Peer resynchronization enables L2TP to recover from a router warm start and to allow an L2TP failed endpoint to resynchronize with its peer non-failed endpoint.
- Prevents the non-failed endpoint from prematurely terminating a tunnel while the failed endpoint is recovering
- Reestablishes the sequence numbers required for the operation of the L2TP control protocol
- Resolves inconsistencies in the tunnel and session databases of the failed endpoint and the non-failed endpoint
To ensure successful peer resynchronization between endpoints, the non-failed endpoint must support a complete RFC-compliant L2TP implementation.
JUNOSe software supports both the L2TP silent failover method and the L2TP failover protocol method, which is described in Fail Over extensions for L2TP "failover" draft-ietf-l2tpext-failover-06.txt. You can configure L2TP to use the failover protocol method as the primary peer resynchronization method, but then fall back to the silent failover method if the peer does not support the failover protocol method.
The following list highlights differences between the failover protocol and silent failover peer resynchronization methods:
- With the L2TP failover protocol method, both endpoints must support the method or recovery always fails. The L2TP failover protocol method also requires a non-failed endpoint to wait an additional recovery time period while the failed endpoint is recovering to prevent the non-failed endpoint from prematurely disconnecting the tunnel. The additional recovery period makes L2TP less responsive to the loss of tunnel connectivity.
- Silent failover operates entirely within the failed endpoint and does not require non-failed endpoint support—this improves interoperability between peers. Silent failover does not require additional recovery time by the non-failed endpoint, which also eliminates the potential for degraded responsiveness to the loss of tunnel connectivity.
NOTE: L2TP silent failover is not supported on E3 ATM and CT1 line modules in peer-facing configurations.
You can use the CLI or RADIUS to configure the resynchronization method for your router.
Configuring Peer Resynchronization for L2TP Host Profiles and AAA Domain Map Tunnels
The JUNOSe CLI enables you to configure the peer resynchronization method globally, for a host profile, or for a domain map tunnel. A host profile or domain map tunnel configuration takes precedence over the global peer resynchronization configuration.
When you change the peer resynchronization method, the change is not immediately applied to existing tunnels. Tunnels continue using their current resynchronization method until the next time the tunnel is reestablished.
Use the failover-resync command to configure the L2TP peer resynchronization method for L2TP host profiles and AAA domain map tunnels. This command takes precedence over the global peer resynchronization configuration.
Choose one of the following keywords to specify the peer resynchronization method:
- failover-protocol—The tunnel uses the L2TP failover protocol method. If the peer non-failed endpoint does not support the L2TP failover protocol, a failover forces disconnection of the tunnel and all of its sessions.
- failover-protocol-fallback-to-silent-failover—The tunnel uses the L2TP failover protocol method; however, if the peer non-failed endpoint does not support the L2TP failover protocol method, the tunnel falls back to using the silent failover method.
- silent-failover—The tunnel uses the silent failover method. The tunnel also informs its peer that it supports the failover protocol method for the peer's failovers.
- disable—The tunnel does not use any peer resynchronization method for its own failovers, The tunnel informs its peer that it supports the failover protocol method for the peer's failovers. A failover forces the disconnection of the tunnel and all of its sessions.
- not-configured—Peer resynchronization is not configured for L2TP host profiles and AAA domain map tunnels. L2TP uses the global failover method.
By default, peer resynchronization is not configured at the L2TP profile-level or the domain map-level—therefore, the global configuration is used. This is different than using the disable keyword, which specifies that no peer synchronization method is used.
Use the show l2tp destination profile command to display a host profile's peer resynchronization configuration and the show aaa domain-map command to display a domain map's configuration.
host1(config)#l2tp destination profile lac-dest ip address 192.168.20.2
host1(config-l2tp-dest-profile)#remote host lac-host
host1(config-l2tp-dest-host-profile-host)#failover-resync silent-failover
host1(config)#aaa domain-map lac-tunnel
host1(config-domain-map)#tunnel 10
host1(config-domain-map-tunnel)#failover-resync silent-failover
Configuring the Global L2TP Peer Resynchronization Method
You can configure the peer resynchronization method globally, or for L2TP host profiles or domain map tunnels—a host profile or domain map tunnel configuration takes precedence over the global peer resynchronization configuration.
When you change the peer resynchronization method, the change is not immediately applied to existing tunnels. Tunnels continue using their current resynchronization method until the next time the tunnel is reestablished.
Use the l2tp failover-resync command to configure the global L2TP peer resynchronization method that L2TP failed endpoints use to resynchronize with a peer non-failed endpoint.
Choose one of the following keywords to specify the peer resynchronization method. All tunnels in the chassis use the specified method unless it is overridden by an L2TP host profile configuration or an AAA domain map configuration.
- failover-protocol—Tunnels use the L2TP failover protocol method. If the peer non-failed endpoint does not support the L2TP failover protocol, a failover forces disconnection of all tunnels and their sessions.
- failover-protocol-fallback-to-silent-failover—Tunnels use the L2TP failover protocol method; however, if the peer non-failed endpoint does not support the L2TP failover protocol method, the tunnel falls back to using the silent failover method.
- silent-failover—Tunnels use the silent failover method. The tunnels also inform their peers that they support the failover protocol method for peer failovers.
- disable—Tunnels do not use any peer resynchronization method for their own failovers. Tunnels inform their peers that they support the failover protocol method for peer failovers. A failover forces the disconnection of all tunnels and sessions.
Use the show l2tp command to display the global peer resynchronization configuration.
host1(config)#l2tp failover-resync silent-failover
host1(config)#default l2tp failover-resync
host1(config)#no l2tp failover-resync
Using RADIUS to Configure Peer Resynchronization
The JUNOSe software supports the use of RADIUS to configure the L2TP peer resynchronization method used by your L2TP tunnels. You use the L2TP-Resynch-Method RADIUS attribute (VSA 26-90) in RADIUS Access-Accept messages to specify the L2TP peer resynchronization method.
Table 66 describes the L2TP-Resynch-Method RADIUS attribute. For more information about RADIUS Access-Accept messages, see Chapter 3, Configuring RADIUS Attributes. For more information about the L2TP-Resynch-Method attribute, see Appendix 6, RADIUS Attribute Descriptions.