I am researching resilient site-to-site VPN solutions using IPSec and Pix firewalls. I would like to know if using two PIX firewalls in a fail-over configuration is a recommended/supported configuration. I realize stateful failover is not possible, but will the VPN tunnel even work if the primary head-end Pix fails? If so, approximately how long will it take for the SA to be re-established?
You're correct in stating that IPSec stateful failover is not supported. As for how long the tunnel takes to failover, that depends really.
Worst case scenario, the other end doesn't know anything's gone wrong and just keeps sending packets to the backup PIX, which the backup PIX drops cause it doesn't have a tunnel built. It will try and build a tunnel, but the other end will deny this cause it already has one. This is a common occurrence with IPSEc, especially with different vendors, since there's nothing within the IPSec spec that defines a keepalive of any sort.
If you're building this tunnel to another PIX, an IOS router or a VPN3000 then enable keepalives on the tunnel (isakmp keepalive x y) and at least then the two ends will determine that the tunnel has gone down and rebuild it. Generally you'll still have a 30-60 second outage depending on what you set the timers to, but then everything should come up automatically.
Also keep in mind that if these are client VPN tunnels, then the client will be disconnected but will be able to reconnect straight away without making any changes to the client config.
If you're building this to another vendor, then you're out of luck with the keepalives. You can set the Phase 2 tunnel expiry time to fairly low, but I wouldn't suggest anything less than every 10 minutes or so, even higher if you have a lot of tunnels. Then worst case scenario is you'll have to wait for the tunnel to be rebuilt for everything to come back.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...