Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10052
Views
0
Helpful
5
Replies

Configuring multiple peers on the same crypto map and seq-num

tmoreo
Level 1
Level 1

‎05-27-2003 07:38 PM - edited ‎03-09-2019 03:26 AM

When configuring multiple vpn peers on the same crypto map and seq-num on a PIX....

Ex...

crypto map mymap 10 ipsec-isakmp

crypto map mymap 10 match address 101

crypto map mymap 10 set transform-set myset

crypto map mymap 10 set peer 10.0.0.1

crypto map mymap 10 set peer 10.0.0.2

or

crypto map mymap 10 set peer 10.0.0.1 10.0.0.2

-------------------------------------------------------------

What is the maximum number you can use?

Can it be used to load balance or is it solely for failover?

If for failover, how does it detect when peer is down?

And can a knob be adjusted to reduce the detection and failover time?

If there is one, how is it done?

Labels:
0 Helpful
5 Replies 5

gfullage
Cisco Employee
Cisco Employee

‎05-27-2003 10:31 PM

Not sure of the exact limit, I've seen 5 peers before, I doubt there's a hard limit on it to be honest, but anymore than 2-3 would be pretty useless I would think.

No load balancing, only failover. Keep in mind that the peer that the tunnel is actually built to is the last peer that the PIX recieved traffic or a negotiation request from, so it may not always be the first peer listed.

Keepalives are used to detect a peer is down, see http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312. If a peer goes down it'll try and rebuild the tunnel, but if that then fails it then goes to the next peer in the list.

Again, look at the keepalive timers in the link above to determine how long it'll all take.

0 Helpful

tmoreo
Level 1
Level 1
In response to gfullage

‎05-28-2003 09:30 AM

Thank you.

Last question.

For instance

LA has a VPN to NY

LA has a VPN to DC

Because of company internet policy all internet traffic gets drained in NY (Primary) then DC (Secondary) - No split tunneling

Is there a way to ensure that NY is always the primary peer?

or

Is there another way to do it. (PIXs only, no added equipment)

My second thought is..

access-list outside_cryptomap_1 permit ip 10.1.0.0 255.255.0.0 any

access-list outside_cryptomap_2 permit ip 10.1.0.0 255.255.0.0 any

crypto map COCryptoMap 1 match address outside_cryptomap_1

crypto map COCryptoMap 1 set peer 12.12.12.12

crypto map COCryptoMap 2 match address outside_cryptomap_2

crypto map COCryptoMap 2 set peer 11.11.11.11

I do not have equipment to test at this time.

My question is, if traffic matches first ACL and there is no peer (failed primary) will it go to the next ACL which has an active peer (Secondary) or will it get stuck on the first ACL.

Or again is there another way?

0 Helpful

gfullage
Cisco Employee
Cisco Employee
In response to tmoreo

‎05-28-2003 04:49 PM

Your suggestion wouldn't work, the 2nd peer would never get looked at cause the traffic would always match the first peer and the PIX will always try and build the tunnel to that peer.

About the only way I can see to make sure the NY tunnel is always the primary is to make sure DC and NY never initiate communications to LA. You could put a dynamic crypto map onto both NY and DC so that they'll only ever accept tunnel requests from LA, they'll never be able to initiate them. This way LA should always try the NY peer first and only go to DC if that doesn't work.

0 Helpful

r.kukreja
Level 1
Level 1
In response to gfullage

‎09-14-2011 02:47 AM

Hi

can any one answer this question.

Regards,

Rajat

0 Helpful

swj
Cisco Employee
Cisco Employee
In response to r.kukreja

‎11-22-2018 09:53 PM

 
0 Helpful
Customers Also Viewed These Support Documents