05-27-2003 07:38 PM - edited 03-09-2019 03:26 AM
When configuring multiple vpn peers on the same crypto map and seq-num on a PIX....
Ex...
crypto map mymap 10 ipsec-isakmp
crypto map mymap 10 match address 101
crypto map mymap 10 set transform-set myset
crypto map mymap 10 set peer 10.0.0.1
crypto map mymap 10 set peer 10.0.0.2
or
crypto map mymap 10 set peer 10.0.0.1 10.0.0.2
-------------------------------------------------------------
What is the maximum number you can use?
Can it be used to load balance or is it solely for failover?
If for failover, how does it detect when peer is down?
And can a knob be adjusted to reduce the detection and failover time?
If there is one, how is it done?
05-27-2003 10:31 PM
Not sure of the exact limit, I've seen 5 peers before, I doubt there's a hard limit on it to be honest, but anymore than 2-3 would be pretty useless I would think.
No load balancing, only failover. Keep in mind that the peer that the tunnel is actually built to is the last peer that the PIX recieved traffic or a negotiation request from, so it may not always be the first peer listed.
Keepalives are used to detect a peer is down, see http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw/v_63/cmdref/gl.htm#1027312. If a peer goes down it'll try and rebuild the tunnel, but if that then fails it then goes to the next peer in the list.
Again, look at the keepalive timers in the link above to determine how long it'll all take.
05-28-2003 09:30 AM
Thank you.
Last question.
For instance
LA has a VPN to NY
LA has a VPN to DC
Because of company internet policy all internet traffic gets drained in NY (Primary) then DC (Secondary) - No split tunneling
Is there a way to ensure that NY is always the primary peer?
or
Is there another way to do it. (PIXs only, no added equipment)
My second thought is..
access-list outside_cryptomap_1 permit ip 10.1.0.0 255.255.0.0 any
access-list outside_cryptomap_2 permit ip 10.1.0.0 255.255.0.0 any
crypto map COCryptoMap 1 match address outside_cryptomap_1
crypto map COCryptoMap 1 set peer 12.12.12.12
crypto map COCryptoMap 2 match address outside_cryptomap_2
crypto map COCryptoMap 2 set peer 11.11.11.11
I do not have equipment to test at this time.
My question is, if traffic matches first ACL and there is no peer (failed primary) will it go to the next ACL which has an active peer (Secondary) or will it get stuck on the first ACL.
Or again is there another way?
05-28-2003 04:49 PM
Your suggestion wouldn't work, the 2nd peer would never get looked at cause the traffic would always match the first peer and the PIX will always try and build the tunnel to that peer.
About the only way I can see to make sure the NY tunnel is always the primary is to make sure DC and NY never initiate communications to LA. You could put a dynamic crypto map onto both NY and DC so that they'll only ever accept tunnel requests from LA, they'll never be able to initiate them. This way LA should always try the NY peer first and only go to DC if that doesn't work.
09-14-2011 02:47 AM
Hi
can any one answer this question.
Regards,
Rajat
11-22-2018 09:53 PM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide