I' running a VPN between a pair of PIX515E w/ 6.3.1 in LAN-based FO and a 1721 VPN router. My VPN tunnel is up and works fine both ways. I force a failover to the standby by pulling one of the cables on the Primary and the failover works fine and the VPN tunnel works. I'm testing via PING.
I have 2 isssues. 1) Ping resumes fine, but FTP or Telnet doesn't. 2) When I plug the ole Primary back in and force the failover back using "failover active", the Primary resumes as the "primary", but nothing works anymore, PING, Telnet, HTTP. Even if I stop the ping and re-initiate the ping it doesn't work.
The only way it will work is if I clear both the IKE and IPSEC SA's on the PIX and 1721 Router.
in my failover config I'm using LAN-based and configured used the 'failover mac address' command.
I've seen some cookbook configs were the command 'route-map' is on the vpn router, I don't have this configured on mine. Can't see why that would make a difference.
Re: VPN between router and PIX failover doesn't work
Failover in the PIX does not support VPN failover, so your tunnels to the active PIX are not replicated to the standby. when the units fail over, the router still has tunnel's built and continues to send packets over them, but the newly active PIX doesn't know anything about them and will drop the packets. Clearing the tunnels on the router makes it initiate new tunnels and everything works fine after that. There is no workaround for this as yet, but IPSec failover is being talked about for a future release.
Best thing at the moment is to enable isakmp keepalives on both sides, so that when the tunnels do go down the router will discover it fairly quickly (rather than having to wait till the SA expiry timer) and will rebuild them to the newly active PIX.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :