PIX simultanous VPN Tunnel

cguinnin · ‎03-03-2004

I can see this on the PIX515E data sheet :

"Simultaneous VPN tunnels: 2000"

What does it means ?

And the "show version" command on the PIX515E:

"KE Peers : Unlimited"

what does this means ?

My problem is that i can not enter more than 40 peers lines on the PIX.

gfullage · ‎03-03-2004

Simultaneous tunnels means that the PIX can support 2000 L2L or client VPN's at one point. Actually this is not a set limit, but is based on testing and where we think the PIX will remain in a stable condition. If you're pushing tons of traffic through each tunnel then the number should be much lower.

As for your problem of entering no more than 40 peers, are you trying to do the following:

access-list 100 permit

crypto map mymap 10 match address 100

crypto map mymap 10 set peer

.....

crypto map mymap 10 set peer

If so then what this does is set up 39 BACKUP peers for , and they will only get used if the previous peer is unavailable. For example, when the tunnel comes up for traffic matching ACL 100, the PIX will build it to , if this peer is down then it will try and build the tunnel to , if this is unavailable then it'll try and so on up to . Is this really what you want?

If what you really want is 40 different peers for 40 different traffic types, then you configure it like this:

access-list 100 permit

crypto map mymap 10 match address 100

crypto map mymap 10 set peer

...

access-list 101 permit

crypto map mymap 11 match address 101

crypto map mymap 11 set peer

...

access-list 102 permit

crypto map mymap 12 match address 102

crypto map mymap 12 set peer

...

access-list 139 permit

crypto map mymap 50 match address 139

crypto map mymap 50 set peer

Note how there's 40 different ACL's, these specify your different traffic to each remote site. There's also 40 different instances of the "mymap" crypto map (numbered 10 to 50). Finally each instance references a different ACL for the different peers.

m.laporta · ‎03-07-2004

Hi Glenn.

Thank you, as your reply is the answer to a question I stated some time ago... so ok, the Pix accepts several set peer statements in a single crypto map entry and will treat the first peer as the primary and the other one(s) as backup.

Now my question is: how can the Pix firewall detect a peer's failure and trigger the switchover? Does the Pix implement IKE keepalive or DPD?

Thank you

michele

gfullage · ‎03-08-2004

Yes, the PIX implements DPD to detect that an existing peer has gone down. If it then cannot rebuild the tunnel, after around 30 seconds (I believe), it will then go to the next peer under the same crypto map instance (if one exists).