Solved: Re: High-availability VPN: dual 3k in the hub and Pixes as spoke

m.laporta · ‎12-09-2003

Hi Experts.

In my scenario, I need routing between spokes and, most importantly, high availability (HA).

In the spokes I have Pix 501/506E, OS ver 6.3. In the hub I have a couple of redundant VPN3k.

Which mechanism is the best:

1. Hub-and spoke topology with EzVPN Remote in the spokes - For HA, can I leverage the "load balancing" feature of the VPN3k?

2. Hub-and spoke topology with EzVPN Remote in the spokes - For HA, can I leverage the "backup server" feature of the VPN3k?

3. Any-to-any topology (an IPSEC tunnel between any pair of sites) - For HA, can I leverage the "backup LAN-to-LAN" feature of the VPN3k?

Thank you

michele

gfullage · ‎12-09-2003

I'd go with load-balancing over the backup server. With load balancing your connections are going to be spread over the two concentrators. If one concentrator does die, then at least it'll only affect half your connections, rather than all of them if your primary dies and you're using backup servers.

If a concentrator does die, your PIX connections will drop out for a short period, but they'll be able to reconnect back automatically without you making any changes.

View solution in original post

gfullage · ‎12-09-2003

I'd go with load-balancing over the backup server. With load balancing your connections are going to be spread over the two concentrators. If one concentrator does die, then at least it'll only affect half your connections, rather than all of them if your primary dies and you're using backup servers.

If a concentrator does die, your PIX connections will drop out for a short period, but they'll be able to reconnect back automatically without you making any changes.

High-availability VPN: dual 3k in the hub and Pixes as spokes