Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

load balancing/failover on pix firewall for ipsec vpn connectivity

Is there a way to configure 2 pix at remote end from 2 differnt ISP connecting to a vpn concentrator such that they can load balance the traffic or if not , one pix automatically serves as failover when the other pix is down.

Thanks for any replies received

Community Member

Re: load balancing/failover on pix firewall for ipsec vpn connec


I suppose the ISPs provide some type of WAN connection. PIXen do not support WAN interfaces, so they should not need to have different IPs on their external interfaces.

The PIXen have no way to load balance traffic. You should use an external load balancer for this, but the firewalls would not be able to syncronize their state tables (they would work as completely independent firewalls). If one of them failed, the connections through it would be lost.

You can have an active/passive configuration, with the two firewalls sharing one configuration file. The passive firewall is not able to route traffic, and it only serves as a backup for the active one. As they share the same configuration, you must have their interfaces connected to the same IP networks.

I suppose your best bet is to place a pair of routers with BGP for connecting to the 2 ISP (both of them should publish routes to your public addresses), and to put the PIXen behind them in an active/passive configuration.

Hope it helps.

Community Member

Re: load balancing/failover on pix firewall for ipsec vpn connec

Hi Jose

Thanks for the reply, seems very interesting . The setup here is differnt. I have an adsl modem and a leased line coming out of the 2 ISP and terminating on my firewall. So the first firewall conencts to a ADSL modem which connects to the IP. The 2nd firewall connects to a router and then to ISP. Any ideas?

CreatePlease to create content