09-24-2008 02:09 AM - edited 02-21-2020 03:57 PM
Hi,
I have a design question regarding IPSEC VPN redundancy.
I'm using 2 pix515 (6.3.5) on the central site (with 1 ISP for each) and 1 ASA 5510 (7.2.4) on the remote site (1 ISP).
The remote site establishes the tunnel to the main site on PIX1. If the PIX1 is not available the ASA tries PIX2.
(crypto map CRYPTO set peer IP1 IP2)
It appears to work but I would like to know the limitations of that kind of design. And how it works precisely.
If both PIX are up (which is the case) which PIX the ASA choose? (routing issue on central site?)
If both PIX are up, what makes the ASA deciding to send through VPN1 or 2?
Thank you for your answer
09-24-2008 02:40 AM
i can guess u use one crypto map with two sequence numbers forexample
crypto map CRYPTO 10
crypto map CRYPTO 20
this way u will manuly chose whic pix will be the primary and which one the seconday
when the first one down the link will start the connection with second
the limitation of the way is that the ASA should restart the tunnel so if there was an active session the session needs to restarted
but it is operational
good luck
if helpful Rate
09-24-2008 02:44 AM
What would be the result if both are up? They would both be tunnelling traffic for the same remote subnet?
09-24-2008 02:45 AM
I use just one Crypto Map...
crypto map CRYPTO_MAP 20 match address ACL_CRYPTO
crypto map CRYPTO_MAP 20 set peer Pub_IP_1 Pub_IP_2
crypto map CRYPTO_MAP 20 set transform-set ESP-3DES-MD5
I assume it use the IP in the order.... maybe I am wrong....
09-24-2008 02:48 AM
it should do that
the same idea
if both up the first one will be chosen
the same if u use one man with two sequence number
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide