Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
273
Views
0
Helpful
2
Replies

IPSec VPN w PIX Failover

joturner
Level 1
Level 1

‎07-28-2003 01:39 PM - edited ‎02-21-2020 12:41 PM

I am researching resilient site-to-site VPN solutions using IPSec and Pix firewalls. I would like to know if using two PIX firewalls in a fail-over configuration is a recommended/supported configuration. I realize stateful failover is not possible, but will the VPN tunnel even work if the primary head-end Pix fails? If so, approximately how long will it take for the SA to be re-established?

Many thanks.

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎07-28-2003 04:33 PM

You're correct in stating that IPSec stateful failover is not supported. As for how long the tunnel takes to failover, that depends really.

Worst case scenario, the other end doesn't know anything's gone wrong and just keeps sending packets to the backup PIX, which the backup PIX drops cause it doesn't have a tunnel built. It will try and build a tunnel, but the other end will deny this cause it already has one. This is a common occurrence with IPSEc, especially with different vendors, since there's nothing within the IPSec spec that defines a keepalive of any sort.

If you're building this tunnel to another PIX, an IOS router or a VPN3000 then enable keepalives on the tunnel (isakmp keepalive x y) and at least then the two ends will determine that the tunnel has gone down and rebuild it. Generally you'll still have a 30-60 second outage depending on what you set the timers to, but then everything should come up automatically.

Also keep in mind that if these are client VPN tunnels, then the client will be disconnected but will be able to reconnect straight away without making any changes to the client config.

If you're building this to another vendor, then you're out of luck with the keepalives. You can set the Phase 2 tunnel expiry time to fairly low, but I wouldn't suggest anything less than every 10 minutes or so, even higher if you have a lot of tunnels. Then worst case scenario is you'll have to wait for the tunnel to be rebuilt for everything to come back.

Command reference:

http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/cmdref/gl.htm#1027312

0 Helpful

joturner
Level 1
Level 1
In response to gfullage

‎07-31-2003 02:09 PM

Thanks for the information! I think we are going to buy a couple of 7204s and use IOS 12.2(11)YX with the stateful fail-over capability.

Thanks again for the help.

JT

0 Helpful
Customers Also Viewed These Support Documents