Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Backup of VPN connections


I have 2 PIX on my central office et 1 remote PIX (all in 6.3.5). Is it possible to do so:

- The remote PIX connects to the central PIX1 with VPN.

- If the central PIX1 is down or the PIX1's ISP is down, the remote PIX tries to connect to the central PIX2

Note: The remote PIX has 1 ISP, as the central PIXs.

Remote PIX__ISP___________ISP__PIX1__|

| |



Re: Backup of VPN connections

Yes possible turn on IPsec dead peer detection. If the first peer is down , it will flap to the next available peer.

If iam right , the syntax in pix

isakmp keepalive

Pls note that if PIX1 is reachable again it will not flap back to PIX1 until the session to PIX2 is reset.

Trust this helps

New Member

Re: Backup of VPN connections

ok thanks, so in my config on the remote pix I would have the following:

crypto map CRYPTO_MAP 20 set peer PIX_IP1

crypto map CRYPTO_MAP 20 set peer PIX_IP2

isakmp key ******** address PIX_IP1 netmask

isakmp key ******** address PIX_IP2 netmask

isakmp keepalive x

After x seconds, the remote PIX will try to connect to PIX_IP2...

Is that OK?



Re: Backup of VPN connections

Yeah that should happen (Atleast happened for me :-) )

Let me know if it works.

New Member

Re: Backup of VPN connections

Yes, that works.

Actually, during my tests I did not shut the outside on the Central PIX, thus the remote PIX can always maintain the ISAKMP SA. So I have to clear the ISA SA and IPSEC SA on the remote PIX.

But if I really shut the Outside Interface on the Central PIX, the remote connects on the backup PIX...

Of course you have to check routing on your central office...