cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
428
Views
0
Helpful
8
Replies

VPN failover

vinoth.kumar
Level 1
Level 1

Hi,

We have below setup for the our network

SITE A SITE B

| |VPN

|VPN |

ISP 1 ISP 2

| |

R1 R2

| |

FW FW

-----------------------------------------

lan subnet 192.168.1.0 /24

We need a failover for the vpn Connection from our LAN subnet pls suggest me some deployment ideds

Regards

8 Replies 8

Collin Clark
VIP Alumni
VIP Alumni

cchughes
Level 1
Level 1

I was just reading about active/active failover on cco and it says that vpn is not supported by active/active failover. You'll need to concentrate on active/standby failover.

Active/Active is supported for SSL VPN

termination. Active/Active is NOT supported

for L2L VPN or remote access VPN.

Thanks for your reply

ok fine from my lan that is 192.168.151.0/24 if i need to reach remote destination through VPN 10.254.254.1/24

consider we have two internet link that is A and B from both the link we have established VPN to Remote PEER that is X allowing the remote private ip subnet 10.254.254.1/24

My question is how i can automatically redirect the traffic to reach my destination private network if one link goes down to other link

Regards,

Vinoth

I have the same requirement. I'm seeing that I need to go active/standby to accomplish this. I'd prefer to go active/active so I'll be watching and updating this thread as I progress.

If anyone knows of a trick to support site-site vpn in an active/active mode please inform us.

Thanks.

You need to understand this:

Cisco Active/Active is very mis-leading.

Active/Active in cisco means that it will

load-sharing traffics for different sources,

not the same source. For example, let say

you want to send a 50Mbps stream from source X

to source Y. You want to split 50mbps between

PixA and PixB. That is not possible in

cisco Active/Active mode.

I don't know of a trick to support s2s vpn in

Active/active mode; however, I know that

checkpoint can do this since 2003 and I am

using it now as we speak.

Understood. When i say "tricks" I was thinking of techniques or architectures that would allow me to utilize both ASA's and not having one in standby. Since ipsec vpn is not supported at all in active/active, I'm considering using a router behind the ASA's to terminate the tunnels and allow the tunnel thru the ASA's. The problem i see with that is single point of failure. Still searching...

Thanks

But iam not clear on above point

What i am asking is i have a peer X which is sonic wall firewall connected with the two ISP link for example A and B

They need reduanacy for the peer Y which is my PIX firewall through VPN in active /standby mode

Is it possible from my PIX firewall to have two Peer IP for the same crypto map in active/standby

Thanks,

vinu

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: