Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

configure redundant vpn pix connection

Hi,

I have a PIX515E with v7 ios connected to ISP1 using 2610 router and configured to accept VPN connections from several remote sites using PIX.

another ISP2 connection exists with 1841 router used for common internet.

i want to create redundancy if either the PIX or ISP1 fails

i know that resolving the PIX failure is by getting another FO PIX

but is it possible to have the ISP2 connection as a backup link so when ISP1 fails the remote VPN clients will still be able to connect. and is there any guides or configuration examples for that.

thanks

7 REPLIES
Silver

Re: configure redundant vpn pix connection

How do your remote sites connect ? LAN-to-LAN or dynamic IPSec tunnels to the PIX ? It may help.

New Member

Re: configure redundant vpn pix connection

Hi Gautam thanks for your reply

remote sites connect to HQ in LAN-to-LAN config

Silver

Re: configure redundant vpn pix connection

Lets see here's my soln, let me know if its ok with you. 1841 , primary router and Firewall are on the same LAN and both routers run HSRP , default of firewall to HSRP IP. Run 2 GRE tunnels to from each CPE to both routers with keepalives. If primary link fails , default flaps to other router and primary tunnel at CPE side also goes down. So you get automatic fallback.

Hope there are better solutions as this will increase the overhead. If IPSec lands on the router you can use DPD and RRI which is the best for HA.

New Member

Re: configure redundant vpn pix connection

thanks Gautam

one other thing, are the 2600 and 1841 routers powerful enaugh to handle the tunnels comming from 10 remote sites

Silver

Re: configure redundant vpn pix connection

I really dont think so the 2600 will scale but the 1841 may jus do it. What is the traffic you are looking at on each tunnel ? I can say the 1841 can handle upto 2 MB with 10 GRE tunnels and the 2600 also maybe the same.

New Member

Re: configure redundant vpn pix connection

most of the traffic is toward a web application in the HQ

the main link will not exceed 2MB

Silver

Re: configure redundant vpn pix connection

Then i think you can use both the routers but as i said suggest you look into the overheads of GRE+IPSec. Maybe you could adjust the mss or something.

101
Views
5
Helpful
7
Replies