Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
328
Views
5
Helpful
7
Replies

configure redundant vpn pix connection

ELIE IBRAHIM
Level 1
Level 1

‎12-02-2005 11:03 PM - edited ‎02-21-2020 02:08 PM

Hi,

I have a PIX515E with v7 ios connected to ISP1 using 2610 router and configured to accept VPN connections from several remote sites using PIX.

another ISP2 connection exists with 1841 router used for common internet.

i want to create redundancy if either the PIX or ISP1 fails

i know that resolving the PIX failure is by getting another FO PIX

but is it possible to have the ISP2 connection as a backup link so when ISP1 fails the remote VPN clients will still be able to connect. and is there any guides or configuration examples for that.

thanks

Labels:
0 Helpful
7 Replies 7

attrgautam
Level 5
Level 5

‎12-03-2005 12:15 AM

How do your remote sites connect ? LAN-to-LAN or dynamic IPSec tunnels to the PIX ? It may help.

0 Helpful

ELIE IBRAHIM
Level 1
Level 1
In response to attrgautam

‎12-03-2005 02:30 AM

Hi Gautam thanks for your reply

remote sites connect to HQ in LAN-to-LAN config

0 Helpful

attrgautam
Level 5
Level 5
In response to ELIE IBRAHIM

‎12-03-2005 03:31 AM

Lets see here's my soln, let me know if its ok with you. 1841 , primary router and Firewall are on the same LAN and both routers run HSRP , default of firewall to HSRP IP. Run 2 GRE tunnels to from each CPE to both routers with keepalives. If primary link fails , default flaps to other router and primary tunnel at CPE side also goes down. So you get automatic fallback.

Hope there are better solutions as this will increase the overhead. If IPSec lands on the router you can use DPD and RRI which is the best for HA.

ELIE IBRAHIM
Level 1
Level 1
In response to attrgautam

‎12-03-2005 04:11 AM

thanks Gautam

one other thing, are the 2600 and 1841 routers powerful enaugh to handle the tunnels comming from 10 remote sites

0 Helpful

attrgautam
Level 5
Level 5
In response to ELIE IBRAHIM

‎12-03-2005 04:17 AM

I really dont think so the 2600 will scale but the 1841 may jus do it. What is the traffic you are looking at on each tunnel ? I can say the 1841 can handle upto 2 MB with 10 GRE tunnels and the 2600 also maybe the same.

0 Helpful

ELIE IBRAHIM
Level 1
Level 1
In response to attrgautam

‎12-03-2005 04:40 AM

most of the traffic is toward a web application in the HQ

the main link will not exceed 2MB

0 Helpful

attrgautam
Level 5
Level 5
In response to ELIE IBRAHIM

‎12-03-2005 06:12 AM

Then i think you can use both the routers but as i said suggest you look into the overheads of GRE+IPSec. Maybe you could adjust the mss or something.

0 Helpful
Customers Also Viewed These Support Documents