Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

load balancing/failover on pix firewall for ipsec vpn connectivity

Unanswered Question
Feb 11th, 2004
User Badges:

Is there a way to configure 2 pix at remote end from 2 differnt ISP connecting to a vpn concentrator such that they can load balance the traffic or if not , one pix automatically serves as failover when the other pix is down.

Thanks for any replies received

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


I suppose the ISPs provide some type of WAN connection. PIXen do not support WAN interfaces, so they should not need to have different IPs on their external interfaces.

The PIXen have no way to load balance traffic. You should use an external load balancer for this, but the firewalls would not be able to syncronize their state tables (they would work as completely independent firewalls). If one of them failed, the connections through it would be lost.

You can have an active/passive configuration, with the two firewalls sharing one configuration file. The passive firewall is not able to route traffic, and it only serves as a backup for the active one. As they share the same configuration, you must have their interfaces connected to the same IP networks.

I suppose your best bet is to place a pair of routers with BGP for connecting to the 2 ISP (both of them should publish routes to your public addresses), and to put the PIXen behind them in an active/passive configuration.

Hope it helps.

gyth Thu, 02/12/2004 - 17:44
User Badges:

Hi Jose

Thanks for the reply, seems very interesting . The setup here is differnt. I have an adsl modem and a leased line coming out of the 2 ISP and terminating on my firewall. So the first firewall conencts to a ADSL modem which connects to the IP. The 2nd firewall connects to a router and then to ISP. Any ideas?


This Discussion