IPSEC redundancy for the remote site (ASA-PIX)

Unanswered Question
Sep 24th, 2008


I have a design question regarding IPSEC VPN redundancy.

I'm using 2 pix515 (6.3.5) on the central site (with 1 ISP for each) and 1 ASA 5510 (7.2.4) on the remote site (1 ISP).

The remote site establishes the tunnel to the main site on PIX1. If the PIX1 is not available the ASA tries PIX2.

(crypto map CRYPTO set peer IP1 IP2)

It appears to work but I would like to know the limitations of that kind of design. And how it works precisely.

If both PIX are up (which is the case) which PIX the ASA choose? (routing issue on central site?)

If both PIX are up, what makes the ASA deciding to send through VPN1 or 2?

Thank you for your answer

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Wed, 09/24/2008 - 02:40

i can guess u use one crypto map with two sequence numbers forexample

crypto map CRYPTO 10

crypto map CRYPTO 20

this way u will manuly chose whic pix will be the primary and which one the seconday

when the first one down the link will start the connection with second

the limitation of the way is that the ASA should restart the tunnel so if there was an active session the session needs to restarted

but it is operational

good luck

if helpful Rate

alraycisco Wed, 09/24/2008 - 02:44

What would be the result if both are up? They would both be tunnelling traffic for the same remote subnet?

rdubo Wed, 09/24/2008 - 02:45

I use just one Crypto Map...

crypto map CRYPTO_MAP 20 match address ACL_CRYPTO

crypto map CRYPTO_MAP 20 set peer Pub_IP_1 Pub_IP_2

crypto map CRYPTO_MAP 20 set transform-set ESP-3DES-MD5

I assume it use the IP in the order.... maybe I am wrong....

Marwan ALshawi Wed, 09/24/2008 - 02:48

it should do that

the same idea

if both up the first one will be chosen

the same if u use one man with two sequence number


This Discussion