IPSEC via redundant routes

rasoftware · ‎01-27-2006

I have a PIX behind a cisco router with two wan interfaces. PIX uses router as a default gateway. I have policy based routing on router and static routes out of each - 1 as backup for the other.

I have enabled PIX for NAT-T and all works ok over primary and secondary interfaces, with static NAT on router for UDP/500 and UDP/4500.

Problem is that it takes around 10 minutes for router to clear NAT table following the primary link going down. I can see in PIX logs that it can't fine peer etc.. until router NAT table has cleared (ie after 5mins). Add this to the time the SA renewal, say 10 mins, this results in a 10-15 minute fail over.

Cisco says this is the best method of IPSEC fail over, anyone got better idea or how to speed this process up?

mheusinger · ‎01-27-2006

Hello,

You could reduce the time by lowerin the timeout for NAT translations, which is 5 minutes for UDP per default, f.e. with

ip nat translation udp-timeout 60

The full command reference is found at

http://www.cisco.com/en/US/products/sw/iosswrel/ps5187/products_command_reference_chapter09186a008017d163.html#wp1080144

You might also try to adjust isakmp keepalive and "dead peer detection" to speed up SA negotiation.

Hope this helps! Please rate all posts.

Regards, Martin

examples20001 · ‎01-30-2006

Hi,

You can try out Stateful Network Address Translation (SNAT).

http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_white_paper09186a0080118b04.shtml

http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124newft/124_x/snatsca.htm

HTH. Please rate all posts.