Site2Site VPN and path redundancy using PIX 7.0 and OSPF
Here is my problem:
-two sites with one PIX firewall each (PIX 7.0)
-the two sites are both connected to Internet and connected to each other by a FR link
(see the attached diagram)
VPN redundancy (path redundancy).
What I decided to implement:
I decided to run OSPF on the firewalls. The OSPF hellos and LSA will bring and keep up the two tunnels needed to exchange the routing information
Once the routing information is injected each firewall knows interface and consequently each crypto map to use in order to ecrypt and send out the packets.
I defined the nonat and the crypto access lists, the connection are established, the firewalls exchange the information, the packets between the two LANs are sent out through the desired "active" tunnel (Internet). Everything seems to be fine. Now because I wanted to test in the lab before to go in production with this configuration I decided to run some tests.
One of them:
1.I disconnected the outside interface of the LAN A firewall (left firewall)
2. The OPSF Neighbor state was Full/- (these are defined as point to point links). After disconnecting it changed to "Down", it was normal.
2.The traffic switched on the Frame Relay tunnel as expected
3. I connected back the outside interface but the traffic kept going through the FrameRelay interface. At this point I could clearly see the isakmp sa staus as "ACTIVE" on the both interfaces so the IKE phase 1 was completed.
4 Also the IPSec sa for the OSPF packets sent by the reconnected interface was present and doing his job. the firewalls reestablished the adjiacency on the Internet path.
5 Doing a show crypoto ipsec sa I could see that a pin g that I was running was working fine but surprise ....using the frame realay path.
6 The neighbor reacheable using this pat went down or to INIT state but the traffic was still flowwing through this path.
7 To make the things even worse i could see the routing table reestablished as before less the Frame relay route.
Why is this happening ? My explaination for this is that the IPSec tunnel that was encrypting the traffic before the reconnecting was still in place and the firewalls didn't need to rennegociate an other tunnel using the preffered route (Internet) even the new route came up and it had a better cost (was preffered).
Re: Site2Site VPN and path redundancy using PIX 7.0 and OSPF
PIX Firewall Version 7.0 introduces support for redundancy among Easy VPN Servers. You can define a list of servers on an Easy VPN Server that can be pushed to the Easy VPN Remote. When no backup Easy VPN Server is configured, what happens after a failure to connect to the Easy VPN server depends on SUA status and whether the Easy VPN Remote device is in client mode or network extension mode. In client mode, without SUA, traffic continues to trigger subsequent connections to the Easy VPN Server. In network extension mode, without SUA, the Easy VPN Remote device continually tries to reconnect to the primary server. With SUA, a connection failure message is displayed and all connection attempts must be manually triggered.
To define a list of backup servers, enter the following command on the PIX Firewall used as the Easy VPN Server:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :