Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

Path redundancy for PIX VPN

Hi NetPro's. I'm looking for a way to add path redundancy to select sites on my existing site to site VPN (all PIX based at the moment).

My headend is a PIX 525 (running 7.0.4) and the remote sites are either 501's or 506's (running 6.3.5).

I would like to add path redundancy to some of the remote sites by adding in a second PIX on a different ISP connection.

Now, in this type of scenario, is it best to define the tunnel using multiple peers on the headend configuration and place a router behind the two 501's on the client side?

By using OSPF on the headend PIX and the client side router, would it bring up both peers in the tunnel group at the same time and fail over to each path without issues, or can the PIX only speak with one peer of the tunnel group at a time, and the OSPF on the router would pick up which PIX is currently active and start using it instead?

If I activate OSPF on my headend PIX, can it be specified on which tunnels to use, or will it broadcast out on all tunnels by default?

Is there a better direction I should be going with this?




Re: Path redundancy for PIX VPN

there is no way for the pix to connect to both primaryand secondary switch.Normally in pix failover, both pixes connect to the same switch. If one pix fail the othertakes over. In your scenario, pix and switch fails at the same time and of course,

connectivity is lost.

New Member

Re: Path redundancy for PIX VPN

Thanks for the reply, but you missed the question. This isn't about switch redundancy. I'm looking for PATH redundancy (ie: Internet links) for VPN connections..

CreatePlease to create content