Redundant Site to Site VPN Pix/ASA

Answered Question
Feb 1st, 2008
User Badges:

Hi All,

I have a site which has two peer endpoints and wants one of them to be redundant. I know it's possible to configure on the crypto map more than one peer.

Is there a configuration feature like dpd available on the pix/asa? The version running on the pix is 7.2.3.



Correct Answer by acomiskey about 9 years 5 months ago

See here under usage guidelines...

connection type needs to be originate-only as well, which means the far end must be answer-only.

I also don't think you need to create separate tunnel groups, but I could be wrong.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
jackwikinski Fri, 02/01/2008 - 08:50
User Badges:


Thanks for your answer.

In essence my config should look someting like this:

crypto map match address 101

crypto map pix set peer peer one

crypto map pix set peer peer two

crypto map set transform-set myset

tunnel-group peer 1 type ipsec-l2l

tunnel-group peer 1 ipsec-attributes

isakmp keepalive 10 2

tunnel-group peer 2 type ipsec-l2l

tunnel-group peer 2 type ipsec-attributes

isakmp keepalive 10 2




This Discussion