On a hub-spoke structure we have a VPN 3005 concentrator as a hub and VPN 3002 clients for each spoke. Considering we want to implement fault tolerance on each site, what would be your recommendation, use PIX firewalls in addition to the VPN 3002 clients (I do not think we could have failover with a PIX and a VPN client) or just use another VPN 3002 client on each spoke (making sure they have failover working).
Your advise on this will be greatly appreciated. Please let me know if you need more details.
Let me preface this by saying I haven't really worked too much on the VPN 3002 HW client. However, why can't you install another VPN 3005 at a 2nd Hub site (dual hub configuration), then configure the 3002 HW clients to have two IPSec tunnels, one to each VPN 3005?
Thanks for your suggestion, dual hub configuration works and is already in place so redundancy on the hub is already working. What we need is redundancy on the spokes. Considering the VPN 3002 NW client does not support failover, would it be a better option to replace them with Cisco 1700s or 1800s or just put another VPN 3002 HW client on each spoke.
Are you not able to configure multiple IPSec tunnels on the 3002? If not, then it seems you need to go with either of your proposed solutions. My preference would be for the router since it is one device that can terminate multiple VPN tunnels, not to mention the myriad of other features that can be configured. Also, I think the 3002 may be EOL very soon.
Sorry I couldn't get back sooner. In relation to the last reply you did, does VRRP work with a Router and the VPN hardware client. As far as I know, VRRP works only with Routers which must have the same configuration. Your input is appreciated.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :