VPN Tunnels

Unanswered Question
Sep 5th, 2008


I have a PIX firewall at SiteA and a Cisco 1720 router at SiteB. I have setup a VPN tunnel between these 2 sites. I have setup another Cisco 1720 at SiteA for redundancy which connects to a seperate ADSL line.

I would like to setup another VPN tunnel, but between the 1720 at SiteA and the 1720 at SiteB. This Tunnel is only to be used in case the Tunnel between the PIX and the 1720 fails.

What would be the best way of doing this? Would I just configure the crypto map at siteB with a second peer? Or would I create a seperate crypto map altogether? I need this second VPN tunnel to be an active standy tunnel.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
alraycisco Fri, 09/05/2008 - 01:46

As far as I'm aware the PIX doesn't support GRE tunnels, so this setup won't be complete.

That is correct - I made an assumption, that at SiteA you have a layer 3 routing device, that handles all the local IP traffic?

If that is not the case - then my suggestion is not valid, and am not aware of any config in a PIX/ASA that will allow you to have "failover VPN tunnels" AFAIK - this is not possible.


alraycisco Fri, 09/05/2008 - 07:12

Hi, the failover tunnel wouldn't be on the PIX. The only device that would have 2 Tunnels terminating at it would be the 1720 at SiteB. It is possible to specify multiple peers in the crypto map, I was just wondering how well this works in reality. If the first peer doesn't respond, would it then use the second peer to establish the VPN tunnel?

AFAIK - you can only have 1 peer in a crypto map.

A more interesting question would be how the LAN users at SiteA would know which route to take PIX or Router, in the event that the PIX peer was down???

I personally think you need to think about performing the failover at SiteA not siteB.

As you have a pix and a router a SiteA - that is perfect for runnining a dyno routing protocol over VPN-GRE.


alraycisco Sat, 09/06/2008 - 00:03

Hi, crypto maps do accept more than one peer, I'm just not entirely sure of their behaviour.

As things stand the failover between the the PIX and router at siteA would be a manual process i.e. the changing of the default route on the L3 switch.

With the way things are, there is only one WAN connection at at SiteB and 2 at SiteA. So all I was looking for was a way to have 2 tunnels terminate at the SiteB router, with the same network sat behind those 2 tunnels, but for only one of the tunnels to be active.

I do not think that is possible - as how would the device at SiteB know which tunnel to use, also the return traffic could be asymetric.

If you have a L3 switch at SiteA - as I suggested before you can have GRE tunnels, and an dynamic routing protocol runnning to SiteB and between the L3 switch & Router and SiteA.


Richard Burts Sat, 09/06/2008 - 15:20


In configuring IPSec VPN in IOS you certainly can configure more than one peer in a single instance of a crypto map:

set peer x.x.x.x

set peer y,y,y,y

according to the documentation the expected behavior is that the router will form an active peering relationship with the first peer and if that peer fails will form an active peer relationship with the secnd peer (which I believe is the behavior you want). I do not have direct experience with this and so can not say for sure that it does exactly what you want.


According to the docs the second peer will only become active if the first peer fails. So the choice at B is pretty simple. And if the first peer has failed then it does not seem that asymetric paths would be a problem (if the first peer has failed then no traffic can go through that tunnel). But depending on how the routing logic works and how A will determine to which device to forward traffic for B I can see Black Holes being a problem. (and that is why in my implementations where we want redundancy from the remote to 2 devices at HQ I have implemented GRE tunnels running a routing protocol - this makes failover automatic, quick, and accurate).

So - Al, even though I believe that it is possible to configure 2 peers on the router at B I would agree with Andrew that the GRE tunnels with a routing protocol may be a better solution.



alraycisco Sun, 09/07/2008 - 09:51

Hi, I've put together a diagram based on what I've understodd from your comments. The core L3 switch doesn't support dynamic routing protocols and only static routes, so the change of default route would be a manual one. Also, all customer VPN's that terminate on the PIX would need to remain that way.

I've come across the following Cisco config: http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a008019d6f7.shtml, is this the setup you were referring to?

The main thing I'm trying to acheive here is, if the Main WAN goes down at site A, then traffic for customer sites is then passed to siteB (over the backup WAN), which also has the same customer VPN's setup.

With this setup including a mix of GRE tunnels and IPSEC tunnels, I'm not too sure what the OSPF routing entries would include.


Richard Burts Sun, 09/07/2008 - 11:58


The link that you sent is about using DMVPN and that is not what I was talking about. I am not sure that DMVPN is a viable choice with one of the VPN end points being a PIX. Since DMVPN uses GRE as an essential part of its implementation, I believe that it is not supported on the PIX.

What I am talking about is a situation where the PIX at A has a traditional site to site VPN configured to the router at B (the PIX has a single peer configured), the router at A has a traditional site to site VPN configured to the router at B (the router at A has a single peer configured), and the router at B configured a single tunnel (one instance of the crypto map with 2 peers configured.

At one point I worked with a customer where we intended to implement something like this (we used 3 routers and no PIX but I do not think that changes anything significant). I set it up in the lab and had the router at B with 2 peer statements in a single tunnel. It was forming peer relationships. Then we changed the design and decided that it would be better to use 2 tunnels at B, to use GRE with IPSec, and to run a routing protocol over the GRE to take care of the failover.

I have looked at the diagram and find myself a bit confused. The original question was about a router at B attempting to peer to a PIX and a router at A. Now the diagram has A with a PIX, 2 routers, and a layer 3 switch. There is a GRE tunnel from a router at A to B (I assume that this is in addition to the VPN connections), and there is customer traffic which is apparently also VPN. I do not think that I understand the environment well enough to say much about it.



alraycisco Sun, 09/07/2008 - 12:14

Hi, apologies for the confusion, I've actually changed the design based on your earlier comments by adding in another router. So the inter-office VPN's no longer use the PIX and instead run over the 3 Cisco routers. The customer VPN's at site A, however, still terminate at the PIX. I was referring to the Cisco example based on this scenario.

I'm happy to go with the GRE idea with a PIX and 2 Cisco routers at Site A and a Cisco router at Site B. Based on this, would the design I've described in the diagram work?

Richard Burts Sun, 09/07/2008 - 12:45


Your original question was about VPN tunnels between A and B and how to failover. Changing the design so that the PIX is not part of the failover makes it possible to have a single DMVPN GRE tunnel at B with connections to 2 routers at A. In this situation the router at B will effectively communicate with both routers at A. You will need something so that B can decide which router at A it will use as primary or whether to use both routers equally. A dynamic routing protocol like OSPF would help with this.

I do see some issues with the design as represented in the diagram. The routers at A appear to connect only to the WAN and to the layer 3 core switch. And you have previously indicated that the layer 3 core switch does not do dynamic routing and only does static routes. How will the core switch work out when to send data via the PIX, when via the first router and when via the second router?

Also what would happen if B sends data to the first router at A, but the link from that router to the core switch is down? the first router has no way to send the data through the second router (which might still have an active connection to the core switch).

And I believe that the really big issue is that the diagram and your discussion have included customer sites. The diagram indicates that the cusomer sites connect to site A and to site B. So it looks like the real failover question is how do the customer sites failover from A to B. That might work is you make the customer site part of the DMVPN. But DMVPN is not possible if the customer VPN terminates on the PIX.




This Discussion