03-03-2004 08:51 AM
I can see this on the PIX515E data sheet :
"Simultaneous VPN tunnels: 2000"
What does it means ?
And the "show version" command on the PIX515E:
"KE Peers : Unlimited"
what does this means ?
My problem is that i can not enter more than 40 peers lines on the PIX.
03-03-2004 07:42 PM
Simultaneous tunnels means that the PIX can support 2000 L2L or client VPN's at one point. Actually this is not a set limit, but is based on testing and where we think the PIX will remain in a stable condition. If you're pushing tons of traffic through each tunnel then the number should be much lower.
As for your problem of entering no more than 40 peers, are you trying to do the following:
access-list 100 permit
crypto map mymap 10 match address 100
crypto map mymap 10 set peer
crypto map mymap 10 set peer
crypto map mymap 10 set peer
.....
crypto map mymap 10 set peer
If so then what this does is set up 39 BACKUP peers for
If what you really want is 40 different peers for 40 different traffic types, then you configure it like this:
access-list 100 permit
crypto map mymap 10 match address 100
crypto map mymap 10 set peer
...
access-list 101 permit
crypto map mymap 11 match address 101
crypto map mymap 11 set peer
...
access-list 102 permit
crypto map mymap 12 match address 102
crypto map mymap 12 set peer
...
...
access-list 139 permit
crypto map mymap 50 match address 139
crypto map mymap 50 set peer
Note how there's 40 different ACL's, these specify your different traffic to each remote site. There's also 40 different instances of the "mymap" crypto map (numbered 10 to 50). Finally each instance references a different ACL for the different peers.
03-07-2004 03:04 AM
Hi Glenn.
Thank you, as your reply is the answer to a question I stated some time ago... so ok, the Pix accepts several set peer statements in a single crypto map entry and will treat the first peer as the primary and the other one(s) as backup.
Now my question is: how can the Pix firewall detect a peer's failure and trigger the switchover? Does the Pix implement IKE keepalive or DPD?
Thank you
michele
03-08-2004 10:02 PM
Yes, the PIX implements DPD to detect that an existing peer has gone down. If it then cannot rebuild the tunnel, after around 30 seconds (I believe), it will then go to the next peer under the same crypto map instance (if one exists).
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: