Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Site2Site VPN and path redundancy using PIX 7.0 and OSPF

Hi everybody

Here is my problem:

-two sites with one PIX firewall each (PIX 7.0)

-the two sites are both connected to Internet and connected to each other by a FR link

(see the attached diagram)

My target:

VPN redundancy (path redundancy).

What I decided to implement:

I decided to run OSPF on the firewalls. The OSPF hellos and LSA will bring and keep up the two tunnels needed to exchange the routing information

Once the routing information is injected each firewall knows interface and consequently each crypto map to use in order to ecrypt and send out the packets.

I defined the nonat and the crypto access lists, the connection are established, the firewalls exchange the information, the packets between the two LANs are sent out through the desired "active" tunnel (Internet). Everything seems to be fine. Now because I wanted to test in the lab before to go in production with this configuration I decided to run some tests.

One of them:

1.I disconnected the outside interface of the LAN A firewall (left firewall)

2. The OPSF Neighbor state was Full/- (these are defined as point to point links). After disconnecting it changed to "Down", it was normal.

2.The traffic switched on the Frame Relay tunnel as expected

3. I connected back the outside interface but the traffic kept going through the FrameRelay interface. At this point I could clearly see the isakmp sa staus as "ACTIVE" on the both interfaces so the IKE phase 1 was completed.

4 Also the IPSec sa for the OSPF packets sent by the reconnected interface was present and doing his job. the firewalls reestablished the adjiacency on the Internet path.

5 Doing a show crypoto ipsec sa I could see that a pin g that I was running was working fine but surprise ....using the frame realay path.

6 The neighbor reacheable using this pat went down or to INIT state but the traffic was still flowwing through this path.

7 To make the things even worse i could see the routing table reestablished as before less the Frame relay route.

Why is this happening ? My explaination for this is that the IPSec tunnel that was encrypting the traffic before the reconnecting was still in place and the firewalls didn't need to rennegociate an other tunnel using the preffered route (Internet) even the new route came up and it had a better cost (was preffered).

How can I fix this ?

Is the design correct ?

What other solutions are available ?

Thank you



Re: Site2Site VPN and path redundancy using PIX 7.0 and OSPF

PIX Firewall Version 7.0 introduces support for redundancy among Easy VPN Servers. You can define a list of servers on an Easy VPN Server that can be pushed to the Easy VPN Remote. When no backup Easy VPN Server is configured, what happens after a failure to connect to the Easy VPN server depends on SUA status and whether the Easy VPN Remote device is in client mode or network extension mode. In client mode, without SUA, traffic continues to trigger subsequent connections to the Easy VPN Server. In network extension mode, without SUA, the Easy VPN Remote device continually tries to reconnect to the primary server. With SUA, a connection failure message is displayed and all connection attempts must be manually triggered.

To define a list of backup servers, enter the following command on the PIX Firewall used as the Easy VPN Server:

vpngroup groupname backup-server ipaddr1 [ipaddr2 .. ipaddr10]

To clear the current client configuration, enter the following command on the PIX Firewall used as the Easy VPN Server:

vpngroup groupname backup-server clear-client-cfg

CreatePlease login to create content