Cisco Support Community
Community Member

IPSec VPN w PIX Failover

I am researching resilient site-to-site VPN solutions using IPSec and Pix firewalls. I would like to know if using two PIX firewalls in a fail-over configuration is a recommended/supported configuration. I realize stateful failover is not possible, but will the VPN tunnel even work if the primary head-end Pix fails? If so, approximately how long will it take for the SA to be re-established?

Many thanks.

Cisco Employee

Re: IPSec VPN w PIX Failover

You're correct in stating that IPSec stateful failover is not supported. As for how long the tunnel takes to failover, that depends really.

Worst case scenario, the other end doesn't know anything's gone wrong and just keeps sending packets to the backup PIX, which the backup PIX drops cause it doesn't have a tunnel built. It will try and build a tunnel, but the other end will deny this cause it already has one. This is a common occurrence with IPSEc, especially with different vendors, since there's nothing within the IPSec spec that defines a keepalive of any sort.

If you're building this tunnel to another PIX, an IOS router or a VPN3000 then enable keepalives on the tunnel (isakmp keepalive x y) and at least then the two ends will determine that the tunnel has gone down and rebuild it. Generally you'll still have a 30-60 second outage depending on what you set the timers to, but then everything should come up automatically.

Also keep in mind that if these are client VPN tunnels, then the client will be disconnected but will be able to reconnect straight away without making any changes to the client config.

If you're building this to another vendor, then you're out of luck with the keepalives. You can set the Phase 2 tunnel expiry time to fairly low, but I wouldn't suggest anything less than every 10 minutes or so, even higher if you have a lot of tunnels. Then worst case scenario is you'll have to wait for the tunnel to be rebuilt for everything to come back.

Command reference:

Community Member

Re: IPSec VPN w PIX Failover

Thanks for the information! I think we are going to buy a couple of 7204s and use IOS 12.2(11)YX with the stateful fail-over capability.

Thanks again for the help.


CreatePlease to create content