Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

PIX-IPsec Site-Site VPN Tunnel Redundancy

Hi,

How do i enable Site-Site Tunnel redundancy on PIX,so that if one of the peer is not responding,the tunnel gets established with the second configured peer.

I read about configuring multiple peers with the crypto map command:

crypto map redundant 10 set peer 1.1.1.1

crypto map redundant 10 set peer 1.1.1.2

Will this work ?

If the first peer comes back online,will the VPN tunnel move over?

Whats the best way.

Iam running PIX version 6.3

Thanks!

  • Other Security Subjects
3 REPLIES
Silver

Re: PIX-IPsec Site-Site VPN Tunnel Redundancy

multiple peers would be the way to go. You could also configure Deed Peer Detection (DPD) to speed up the failover.

isakmp keepalive 30 [interval] 5 [retry]

It does not have a failback feature.

You could shorten the lifetime so the tunnels don't last as long and start back at the top of the peer list.

New Member

Re: PIX-IPsec Site-Site VPN Tunnel Redundancy

Thanks ! this is what i was looking for.

I guess i need to:

1. Remove the crypto Map

2. Modify it

3. Reapply

in that order.But that would affect my other connections as well.Is there any safe way out?

Regards

RPS

Silver

Re: PIX-IPsec Site-Site VPN Tunnel Redundancy

You can add the changes without removing the crypto map. Then schedule to manually clear the tunnel off hours. When the tunnel rebuilds it will have the new setttings.

Clear tunnel:

conf t

clear crypto isa sa

clear crypto ips sa

Thanks,

Chad

Please rate posts if they help.

129
Views
0
Helpful
3
Replies