PIX VPN Redundancy

Unanswered Question

Hey guys,

I wonder if you can help me out with something that seems strange to me. I've got a PIX failover pair with VPN's to

two 6500 switches at our colocation. They use the same crypto map but different sequence numbers. This works fine and both come up but what seems to happen is that the far end initiates one and the near end the other.

That's cool as traffic seems to pass from near to far down one tunnel and vice versa via the other tunnel. My problem

comes when one goes down as the PIX only ever wants to route outbound packets down the first tunnel in the list. So, if this is the one that's down then it doesn't bother using the second one!

Is there a way I can fix this? I know I could just use two peers in the same crypto map statement but then I wouldn't

benefit from using both switches at the far end and spreading the load....

Here's what I have:

crypto map test 20 match address test

crypto map test 20 set peer 192.168.0.100

crypto map test 20 set transform-set test

crypto map test 20 set security-association lifetime seconds 28800

crypto map test 20 set security-association lifetime kilobytes 4608000

crypto map test 30 match address test

crypto map test 30 set peer 192.168.2.100

crypto map test 30 set transform-set test

crypto map test 30 set security-association lifetime seconds 28800

crypto map test 30 set security-association lifetime kilobytes 4608000

crypto map test interface outside

isakmp enable outside

isakmp policy 1 authentication pre-share

isakmp policy 1 encryption 3des

isakmp policy 1 hash md5

isakmp policy 1 group 2

isakmp policy 1 lifetime 86400

tunnel-group 192.168.0.100 type ipsec-l2l

tunnel-group 192.168.0.100 ipsec-attributes

pre-shared-key *

tunnel-group 192.168.2.100 type ipsec-l2l

tunnel-group 192.168.2.100 ipsec-attributes

pre-shared-key *

access-list test line 1 extended permit ip 10.1.0.0 255.255.0.0 10.10.0.0 255.255.0.0

From show crypto isakamp sa:

1 IKE Peer: 192.168.0.100

Type : L2L Role : initiator

Rekey : no State : MM_ACTIVE

2 IKE Peer: 192.168.2.100

Type : L2L Role : responder

Rekey : no State : MM_ACTIVE

Thanks for any help!

Anthony

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.

Actions

This Discussion