Path redundancy for PIX VPN

dro · ‎04-26-2006

Hi NetPro's. I'm looking for a way to add path redundancy to select sites on my existing site to site VPN (all PIX based at the moment).

My headend is a PIX 525 (running 7.0.4) and the remote sites are either 501's or 506's (running 6.3.5).

I would like to add path redundancy to some of the remote sites by adding in a second PIX on a different ISP connection.

Now, in this type of scenario, is it best to define the tunnel using multiple peers on the headend configuration and place a router behind the two 501's on the client side?

By using OSPF on the headend PIX and the client side router, would it bring up both peers in the tunnel group at the same time and fail over to each path without issues, or can the PIX only speak with one peer of the tunnel group at a time, and the OSPF on the router would pick up which PIX is currently active and start using it instead?

If I activate OSPF on my headend PIX, can it be specified on which tunnels to use, or will it broadcast out on all tunnels by default?

Is there a better direction I should be going with this?

Thanks!

-Joshua

thomas.chen · ‎05-02-2006

there is no way for the pix to connect to both primaryand secondary switch.Normally in pix failover, both pixes connect to the same switch. If one pix fail the othertakes over. In your scenario, pix and switch fails at the same time and of course,

connectivity is lost.

dro · ‎05-03-2006

Thanks for the reply, but you missed the question. This isn't about switch redundancy. I'm looking for PATH redundancy (ie: Internet links) for VPN connections..