Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

IPSEC redundancy for the remote site (ASA-PIX)


I have a design question regarding IPSEC VPN redundancy.

I'm using 2 pix515 (6.3.5) on the central site (with 1 ISP for each) and 1 ASA 5510 (7.2.4) on the remote site (1 ISP).

The remote site establishes the tunnel to the main site on PIX1. If the PIX1 is not available the ASA tries PIX2.

(crypto map CRYPTO set peer IP1 IP2)

It appears to work but I would like to know the limitations of that kind of design. And how it works precisely.

If both PIX are up (which is the case) which PIX the ASA choose? (routing issue on central site?)

If both PIX are up, what makes the ASA deciding to send through VPN1 or 2?

Thank you for your answer


Re: IPSEC redundancy for the remote site (ASA-PIX)

i can guess u use one crypto map with two sequence numbers forexample

crypto map CRYPTO 10

crypto map CRYPTO 20

this way u will manuly chose whic pix will be the primary and which one the seconday

when the first one down the link will start the connection with second

the limitation of the way is that the ASA should restart the tunnel so if there was an active session the session needs to restarted

but it is operational

good luck

if helpful Rate

New Member

Re: IPSEC redundancy for the remote site (ASA-PIX)

What would be the result if both are up? They would both be tunnelling traffic for the same remote subnet?

New Member

Re: IPSEC redundancy for the remote site (ASA-PIX)

I use just one Crypto Map...

crypto map CRYPTO_MAP 20 match address ACL_CRYPTO

crypto map CRYPTO_MAP 20 set peer Pub_IP_1 Pub_IP_2

crypto map CRYPTO_MAP 20 set transform-set ESP-3DES-MD5

I assume it use the IP in the order.... maybe I am wrong....

Re: IPSEC redundancy for the remote site (ASA-PIX)

it should do that

the same idea

if both up the first one will be chosen

the same if u use one man with two sequence number

CreatePlease to create content