12-27-2008 07:49 PM - edited 03-11-2019 07:29 AM
Hi,
We have below setup for the our network
SITE A SITE B
| |VPN
|VPN |
ISP 1 ISP 2
| |
R1 R2
| |
FW FW
-----------------------------------------
lan subnet 192.168.1.0 /24
We need a failover for the vpn Connection from our LAN subnet pls suggest me some deployment ideds
Regards
12-29-2008 06:36 AM
Here's a good book that covers multiple redundant designs.
Hope that helps.
01-05-2009 11:18 AM
I was just reading about active/active failover on cco and it says that vpn is not supported by active/active failover. You'll need to concentrate on active/standby failover.
01-05-2009 12:06 PM
Active/Active is supported for SSL VPN
termination. Active/Active is NOT supported
for L2L VPN or remote access VPN.
01-06-2009 11:24 PM
Thanks for your reply
ok fine from my lan that is 192.168.151.0/24 if i need to reach remote destination through VPN 10.254.254.1/24
consider we have two internet link that is A and B from both the link we have established VPN to Remote PEER that is X allowing the remote private ip subnet 10.254.254.1/24
My question is how i can automatically redirect the traffic to reach my destination private network if one link goes down to other link
Regards,
Vinoth
01-07-2009 09:07 AM
I have the same requirement. I'm seeing that I need to go active/standby to accomplish this. I'd prefer to go active/active so I'll be watching and updating this thread as I progress.
If anyone knows of a trick to support site-site vpn in an active/active mode please inform us.
Thanks.
01-07-2009 10:14 AM
You need to understand this:
Cisco Active/Active is very mis-leading.
Active/Active in cisco means that it will
load-sharing traffics for different sources,
not the same source. For example, let say
you want to send a 50Mbps stream from source X
to source Y. You want to split 50mbps between
PixA and PixB. That is not possible in
cisco Active/Active mode.
I don't know of a trick to support s2s vpn in
Active/active mode; however, I know that
checkpoint can do this since 2003 and I am
using it now as we speak.
01-07-2009 10:51 AM
Understood. When i say "tricks" I was thinking of techniques or architectures that would allow me to utilize both ASA's and not having one in standby. Since ipsec vpn is not supported at all in active/active, I'm considering using a router behind the ASA's to terminate the tunnels and allow the tunnel thru the ASA's. The problem i see with that is single point of failure. Still searching...
01-19-2009 07:59 AM
Thanks
But iam not clear on above point
What i am asking is i have a peer X which is sonic wall firewall connected with the two ISP link for example A and B
They need reduanacy for the peer Y which is my PIX firewall through VPN in active /standby mode
Is it possible from my PIX firewall to have two Peer IP for the same crypto map in active/standby
Thanks,
vinu
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide