Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

High-availability VPN: dual 3k in the hub and Pixes as spokes

Hi Experts.

In my scenario, I need routing between spokes and, most importantly, high availability (HA).

In the spokes I have Pix 501/506E, OS ver 6.3. In the hub I have a couple of redundant VPN3k.

Which mechanism is the best:

1. Hub-and spoke topology with EzVPN Remote in the spokes - For HA, can I leverage the "load balancing" feature of the VPN3k?

2. Hub-and spoke topology with EzVPN Remote in the spokes - For HA, can I leverage the "backup server" feature of the VPN3k?

3. Any-to-any topology (an IPSEC tunnel between any pair of sites) - For HA, can I leverage the "backup LAN-to-LAN" feature of the VPN3k?

Thank you

michele

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: High-availability VPN: dual 3k in the hub and Pixes as spoke

I'd go with load-balancing over the backup server. With load balancing your connections are going to be spread over the two concentrators. If one concentrator does die, then at least it'll only affect half your connections, rather than all of them if your primary dies and you're using backup servers.

If a concentrator does die, your PIX connections will drop out for a short period, but they'll be able to reconnect back automatically without you making any changes.

1 REPLY
Cisco Employee

Re: High-availability VPN: dual 3k in the hub and Pixes as spoke

I'd go with load-balancing over the backup server. With load balancing your connections are going to be spread over the two concentrators. If one concentrator does die, then at least it'll only affect half your connections, rather than all of them if your primary dies and you're using backup servers.

If a concentrator does die, your PIX connections will drop out for a short period, but they'll be able to reconnect back automatically without you making any changes.

89
Views
0
Helpful
1
Replies
CreatePlease to create content