Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN failover

Hi,

We have below setup for the our network

SITE A SITE B

| |VPN

|VPN |

ISP 1 ISP 2

| |

R1 R2

| |

FW FW

-----------------------------------------

lan subnet 192.168.1.0 /24

We need a failover for the vpn Connection from our LAN subnet pls suggest me some deployment ideds

Regards

8 REPLIES

Re: VPN failover

New Member

Re: VPN failover

I was just reading about active/active failover on cco and it says that vpn is not supported by active/active failover. You'll need to concentrate on active/standby failover.

Silver

Re: VPN failover

Active/Active is supported for SSL VPN

termination. Active/Active is NOT supported

for L2L VPN or remote access VPN.

New Member

Re: VPN failover

Thanks for your reply

ok fine from my lan that is 192.168.151.0/24 if i need to reach remote destination through VPN 10.254.254.1/24

consider we have two internet link that is A and B from both the link we have established VPN to Remote PEER that is X allowing the remote private ip subnet 10.254.254.1/24

My question is how i can automatically redirect the traffic to reach my destination private network if one link goes down to other link

Regards,

Vinoth

New Member

Re: VPN failover

I have the same requirement. I'm seeing that I need to go active/standby to accomplish this. I'd prefer to go active/active so I'll be watching and updating this thread as I progress.

If anyone knows of a trick to support site-site vpn in an active/active mode please inform us.

Thanks.

Silver

Re: VPN failover

You need to understand this:

Cisco Active/Active is very mis-leading.

Active/Active in cisco means that it will

load-sharing traffics for different sources,

not the same source. For example, let say

you want to send a 50Mbps stream from source X

to source Y. You want to split 50mbps between

PixA and PixB. That is not possible in

cisco Active/Active mode.

I don't know of a trick to support s2s vpn in

Active/active mode; however, I know that

checkpoint can do this since 2003 and I am

using it now as we speak.

New Member

Re: VPN failover

Understood. When i say "tricks" I was thinking of techniques or architectures that would allow me to utilize both ASA's and not having one in standby. Since ipsec vpn is not supported at all in active/active, I'm considering using a router behind the ASA's to terminate the tunnels and allow the tunnel thru the ASA's. The problem i see with that is single point of failure. Still searching...

New Member

Re: VPN failover

Thanks

But iam not clear on above point

What i am asking is i have a peer X which is sonic wall firewall connected with the two ISP link for example A and B

They need reduanacy for the peer Y which is my PIX firewall through VPN in active /standby mode

Is it possible from my PIX firewall to have two Peer IP for the same crypto map in active/standby

Thanks,

vinu

145
Views
0
Helpful
8
Replies