Configuring Peer Resynchronization

The JunosE Software enables you to configure the peer resynchronization method you want the router to use. Peer resynchronization enables L2TP to recover from a router warm start and to allow an L2TP failed endpoint to resynchronize with its peer non-failed endpoint.

L2TP peer resynchronization:

• Prevents the non-failed endpoint from prematurely terminating a tunnel while the failed endpoint is recovering
• Reestablishes the sequence numbers required for the operation of the L2TP control protocol
• Resolves inconsistencies in the tunnel and session databases of the failed endpoint and the non-failed endpoint

To ensure successful peer resynchronization between endpoints, the non-failed endpoint must support a complete RFC-compliant L2TP implementation.

JunosE Software supports both the L2TP silent failover method and the L2TP failover protocol method, which is described in Fail Over extensions for L2TP “failover” draft-ietf-l2tpext-failover-06.txt. You can configure L2TP to use the failover protocol method as the primary peer resynchronization method, but then fall back to the silent failover method if the peer does not support the failover protocol method.

The following list highlights differences between the failover protocol and silent failover peer resynchronization methods:

• With the L2TP failover protocol method, both endpoints must support the method or recovery always fails. The L2TP failover protocol method also requires a non-failed endpoint to wait an additional recovery time period while the failed endpoint is recovering to prevent the non-failed endpoint from prematurely disconnecting the tunnel. The additional recovery period makes L2TP less responsive to the loss of tunnel connectivity.
• Silent failover operates entirely within the failed endpoint and does not require non-failed endpoint support—this improves interoperability between peers. Silent failover does not require additional recovery time by the non-failed endpoint, which also eliminates the potential for degraded responsiveness to the loss of tunnel connectivity.

  Note: L2TP silent failover is not supported on E3 ATM and CT1 line modules in peer-facing configurations.

  Note: If an LNS device at one end of an L2TP tunnel encounters a failure and is not configured with the L2TP peer resynchronization method to enable the LNS device to resynchronize with the non-failed endpoint peer (the LAC device at the other end of the tunnel), the tunnel is brought down immediately after the configured value for the number of retransmission attempts is exceeded. The tunnel between the LAC device and the failed LNS device that is recovering is not preserved for the default recovery time period, which is 15 minutes. Instead, the tunnel is terminated immediately and the LAC device sends the Failover Capability attribute-value pair (AVP) in the Stop-Control-Connection-Notification (StopCCN) packet to the original address with a failover recovery time field set to zero.

You can use the CLI or RADIUS to configure the resynchronization method for your router.

1. Configuring Peer Resynchronization for L2TP Host Profiles and AAA Domain Map Tunnels
2. Configuring the Global L2TP Peer Resynchronization Method
3. Using RADIUS to Configure Peer Resynchronization

Configuring Peer Resynchronization for L2TP Host Profiles and AAA Domain Map Tunnels

The JunosE CLI enables you to configure the peer resynchronization method globally, for a host profile, or for a domain map tunnel. A host profile or domain map tunnel configuration takes precedence over the global peer resynchronization configuration.

When you change the peer resynchronization method, the change is not immediately applied to existing tunnels. Tunnels continue using their current resynchronization method until the next time the tunnel is reestablished.

Use the failover-resync command to configure the L2TP peer resynchronization method for L2TP host profiles and AAA domain map tunnels. This command takes precedence over the global peer resynchronization configuration.

Choose one of the following keywords to specify the peer resynchronization method:

• failover-protocol—The tunnel uses the L2TP failover protocol method. If the peer non-failed endpoint does not support the L2TP failover protocol, a failover forces disconnection of the tunnel and all of its sessions.
• failover-protocol-fallback-to-silent-failover—The tunnel uses the L2TP failover protocol method; however, if the peer non-failed endpoint does not support the L2TP failover protocol method, the tunnel falls back to using the silent failover method.
• silent-failover—The tunnel uses the silent failover method. The tunnel also informs its peer that it supports the failover protocol method for the peer’s failovers.
• disable—The tunnel does not use any peer resynchronization method for its own failovers, The tunnel informs its peer that it supports the failover protocol method for the peer’s failovers. A failover forces the disconnection of the tunnel and all of its sessions.
• not-configured—Peer resynchronization is not configured for L2TP host profiles and AAA domain map tunnels. L2TP uses the global failover method.

By default, peer resynchronization is not configured at the L2TP profile-level or the domain map-level—therefore, the global configuration is used. This is different than using the disable keyword, which specifies that no peer synchronization method is used.

Use the show l2tp destination profile command to display a host profile’s peer resynchronization configuration and the show aaa domain-map command to display a domain map’s configuration.

• To configure peer resynchronization for an L2TP host profile:
  host1(config)#l2tp destination profile lac-dest ip address 192.168.20.2 host1(config-l2tp-dest-profile)#remote host lac-hosthost1(config-l2tp-dest-host-profile-host)#failover-resync silent-failover
• To configure peer resynchronization for an AAA domain map tunnel:
  host1(config)#aaa domain-map lac-tunnel host1(config-domain-map)#tunnel 10 host1(config-domain-map-tunnel)#failover-resync silent-failover

Configuring the Global L2TP Peer Resynchronization Method

You can configure the peer resynchronization method globally, or for L2TP host profiles or domain map tunnels—a host profile or domain map tunnel configuration takes precedence over the global peer resynchronization configuration.

When you change the peer resynchronization method, the change is not immediately applied to existing tunnels. Tunnels continue using their current resynchronization method until the next time the tunnel is reestablished.

Use the l2tp failover-resync command to configure the global L2TP peer resynchronization method that L2TP failed endpoints use to resynchronize with a peer non-failed endpoint.

Choose one of the following keywords to specify the peer resynchronization method. All tunnels in the chassis use the specified method unless it is overridden by an L2TP host profile configuration or an AAA domain map configuration.

• failover-protocol—Tunnels use the L2TP failover protocol method. If the peer non-failed endpoint does not support the L2TP failover protocol, a failover forces disconnection of all tunnels and their sessions.
• failover-protocol-fallback-to-silent-failover—Tunnels use the L2TP failover protocol method; however, if the peer non-failed endpoint does not support the L2TP failover protocol method, the tunnel falls back to using the silent failover method.
• silent-failover—Tunnels use the silent failover method. The tunnels also inform their peers that they support the failover protocol method for peer failovers.
• disable—Tunnels do not use any peer resynchronization method for their own failovers. Tunnels inform their peers that they support the failover protocol method for peer failovers. A failover forces the disconnection of all tunnels and sessions.

Use the show l2tp command to display the global peer resynchronization configuration.

• To configure peer resynchronization for an L2TP host profile or AAA domain map tunnel:
  host1(config)#l2tp failover-resync silent-failover
• To restore the global default setting, which uses the failover-protocol-fallback-to-silent-failover method:
  host1(config)#default l2tp failover-resync
• To disable peer resynchronization, use the no version of the command—this is the same as using the disable keyword:
  host1(config)#no l2tp failover-resync

Using RADIUS to Configure Peer Resynchronization

The JunosE Software supports the use of RADIUS to configure the L2TP peer resynchronization method used by your L2TP tunnels. You use the L2TP-Resynch-Method RADIUS attribute (VSA 26-90) in RADIUS Access-Accept messages to specify the L2TP peer resynchronization method.

Table 1 describes the L2TP-Resynch-Method RADIUS attribute. For more information about RADIUS Access-Accept messages, see Subscriber AAA Access Messages Overview. For more information about the L2TP-Resynch-Method attribute, see RADIUS IETF Attributes.