I have an upcomming project that has to deal with setting up a 2nd pix for the purpose of VPN failover. The exsisting firewall is configured and has a working VPN config. The customer would like a 2nd firewall setup for redundant VPN connections. Hence if the first firewall fails for any reason the second firewall will become active and resume VPN connections. Is this possible? If so can you possibly provide config examples.
Setting up IPSec VPN with a PIX which is part of a failover pair is possible. The configuration for IPSec is the same as when the PIX is not in the failover pair. However, with failover configured, the PIX does not replictate the ISAKMP and the IPSec SA tables to the Secondary PIX on failover. The remote end continues to send packets using the negotiated SA's. Thus you could end up without a tunnel for quiet some time after failover. The workaround is to clear the SA's manually. A better option is to use the command 'crypto isakmp keepalive' to enable automatic dead peer detection. The only requirement is that both the devices must support this.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :