Achieving ISP redundancy over an IPSEC VPN connection
Recently, we've been experiencing a number of connectivity problems with our ADSL connected remote sites.
Our set-up uses a Cisco 837 at the remote site, with an IPSEC tunnel built terminating on our PIX515E at our Head Office.
At the remote sites, we would like to get a 2nd ADSL link from an alternative ISP in the hope that a) we could load balance over the links and b) the 2nd link would allow us some resilience and could takeover should the other link fail.
The question is - how can we achieve this with minimal disruption and with as little investment in additional hardware as possible?
Could we buy a 2nd Cisco 837 for the 2nd ADSL link and build an IPSEC tunnel from the PIX to it? We could then use HSRP at the remote site and that would allow one link to take over from the other if it went down. However, how would our PIX know to then route the traffic over the 2nd connection?
And could we perform any load balancing in this set-up?
Or maybe we could buy eg a Cisco 2800 series router with 2 x ADSL WIC cards - one to each ISP. Again, how could we achieve load balancing and failover with this set-up?
Or does anyone have any other recommendations/suggestions on how to achieve this?
Re: Achieving ISP redundancy over an IPSEC VPN connection
Ok, thanks - so I can't achieve load balancing but I could achieve automatic failover to a 2nd ADSL link?
Would this set-up work for automatic failover:
At remote site, 2 x Cisco 837s, with one connected to ADSL link for ISP A and the other connected to ADSL link for ISP B.
I could run HSRP between the Cisco 837s with tracking on the ATM interface to change priority should the ADSL link on ISP A go down. So, any change in the ADSL link being used would be transparent to the users on the remote office LAN - they would use the same default gateway (i.e. the virtual HSRP address)
Then on my head office PIX, i configure everything as previously EXCEPT i now add the peer address of the 2nd Cisco 837 router into my crypto map statement?
So, how does the PIX decide which peer takes priority? Is it just the first one listed in the config? And, should that peer fail, how long would it take to failover to the other peer?
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...