VPN failover

Unanswered Question
Dec 27th, 2008


We have below setup for the our network


| |VPN

|VPN |


| |

R1 R2

| |



lan subnet /24

We need a failover for the vpn Connection from our LAN subnet pls suggest me some deployment ideds


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cchughes Mon, 01/05/2009 - 11:18

I was just reading about active/active failover on cco and it says that vpn is not supported by active/active failover. You'll need to concentrate on active/standby failover.

cisco24x7 Mon, 01/05/2009 - 12:06

Active/Active is supported for SSL VPN

termination. Active/Active is NOT supported

for L2L VPN or remote access VPN.

vinoth.kumar Tue, 01/06/2009 - 23:24

Thanks for your reply

ok fine from my lan that is if i need to reach remote destination through VPN

consider we have two internet link that is A and B from both the link we have established VPN to Remote PEER that is X allowing the remote private ip subnet

My question is how i can automatically redirect the traffic to reach my destination private network if one link goes down to other link



cchughes Wed, 01/07/2009 - 09:07

I have the same requirement. I'm seeing that I need to go active/standby to accomplish this. I'd prefer to go active/active so I'll be watching and updating this thread as I progress.

If anyone knows of a trick to support site-site vpn in an active/active mode please inform us.


cisco24x7 Wed, 01/07/2009 - 10:14

You need to understand this:

Cisco Active/Active is very mis-leading.

Active/Active in cisco means that it will

load-sharing traffics for different sources,

not the same source. For example, let say

you want to send a 50Mbps stream from source X

to source Y. You want to split 50mbps between

PixA and PixB. That is not possible in

cisco Active/Active mode.

I don't know of a trick to support s2s vpn in

Active/active mode; however, I know that

checkpoint can do this since 2003 and I am

using it now as we speak.

cchughes Wed, 01/07/2009 - 10:51

Understood. When i say "tricks" I was thinking of techniques or architectures that would allow me to utilize both ASA's and not having one in standby. Since ipsec vpn is not supported at all in active/active, I'm considering using a router behind the ASA's to terminate the tunnels and allow the tunnel thru the ASA's. The problem i see with that is single point of failure. Still searching...

vinoth.kumar Mon, 01/19/2009 - 07:59


But iam not clear on above point

What i am asking is i have a peer X which is sonic wall firewall connected with the two ISP link for example A and B

They need reduanacy for the peer Y which is my PIX firewall through VPN in active /standby mode

Is it possible from my PIX firewall to have two Peer IP for the same crypto map in active/standby




This Discussion