Re: VPN failover

vinoth.kumar · ‎12-27-2008

Hi,

We have below setup for the our network

SITE A SITE B

| |VPN

|VPN |

ISP 1 ISP 2

| |

R1 R2

| |

FW FW

-----------------------------------------

lan subnet 192.168.1.0 /24

We need a failover for the vpn Connection from our LAN subnet pls suggest me some deployment ideds

Regards

Collin Clark · ‎12-29-2008

Here's a good book that covers multiple redundant designs.

http://www.amazon.com/IPSec-VPN-Design-Networking-Technology/dp/1587051117/ref=pd_bbs_sr_3?ie=UTF8&s=books&qid=1230561369&sr=8-3

Hope that helps.

cchughes · ‎01-05-2009

I was just reading about active/active failover on cco and it says that vpn is not supported by active/active failover. You'll need to concentrate on active/standby failover.

cisco24x7 · ‎01-05-2009

Active/Active is supported for SSL VPN

termination. Active/Active is NOT supported

for L2L VPN or remote access VPN.

vinoth.kumar · ‎01-06-2009

Thanks for your reply

ok fine from my lan that is 192.168.151.0/24 if i need to reach remote destination through VPN 10.254.254.1/24

consider we have two internet link that is A and B from both the link we have established VPN to Remote PEER that is X allowing the remote private ip subnet 10.254.254.1/24

My question is how i can automatically redirect the traffic to reach my destination private network if one link goes down to other link

Regards,

Vinoth

cchughes · ‎01-07-2009

I have the same requirement. I'm seeing that I need to go active/standby to accomplish this. I'd prefer to go active/active so I'll be watching and updating this thread as I progress.

If anyone knows of a trick to support site-site vpn in an active/active mode please inform us.

Thanks.

cisco24x7 · ‎01-07-2009

You need to understand this:

Cisco Active/Active is very mis-leading.

Active/Active in cisco means that it will

load-sharing traffics for different sources,

not the same source. For example, let say

you want to send a 50Mbps stream from source X

to source Y. You want to split 50mbps between

PixA and PixB. That is not possible in

cisco Active/Active mode.

I don't know of a trick to support s2s vpn in

Active/active mode; however, I know that

checkpoint can do this since 2003 and I am

using it now as we speak.

cchughes · ‎01-07-2009

Understood. When i say "tricks" I was thinking of techniques or architectures that would allow me to utilize both ASA's and not having one in standby. Since ipsec vpn is not supported at all in active/active, I'm considering using a router behind the ASA's to terminate the tunnels and allow the tunnel thru the ASA's. The problem i see with that is single point of failure. Still searching...

vinoth.kumar · ‎01-19-2009

Thanks

But iam not clear on above point

What i am asking is i have a peer X which is sonic wall firewall connected with the two ISP link for example A and B

They need reduanacy for the peer Y which is my PIX firewall through VPN in active /standby mode

Is it possible from my PIX firewall to have two Peer IP for the same crypto map in active/standby

Thanks,

vinu