PIX failover

gsebk · ‎12-08-2002

Hi all!

If I use two firewalls in redundant configuration and the PIX terminates IPSec, do the active and standby PIX replicate IPSec and IKE session information (spi number, actual DES key, packet sequence, ...) or in case of the active PIX fails does the standby pix (that goes active) reinitialize the IPSec/IKE connection with the remote peer?

tvanginneken · ‎12-08-2002

Hi,

Have a look at this URL:

http://www.cisco.com/en/US/products/sw/secursw/ps2120/products_configuration_guide_chapter09186a008008996b.html

Somewhere in the text you will find this:

What information is not replicated to the Standby PIX Firewall:

-The HTTP connection table

-The user authentication (uauth) table

-The ISAKMP and IPSec SA table

-The ARP table

-Routing information

Kind Regards,

Tom

gsebk · ‎12-08-2002

Thanks.

It means that the standby PIX (just has went active) will renegotiate the IKE and IPSec sessions. Does the remote side (in case of PIX and in case of IOS)accept it? It gets a packet with the same source address and will see that this PIX has forgotten the SAs and wants to renegotiate it...

dro · ‎12-09-2002

If your secondary PIX ever becomes active when you have established IPSec connections to your primary PIX, the secondary will attempt to re-establish itself with each peer you have configured.

I haven't run into any problems with PIX to PIX VPN sessions after a failover, but results may vary in the IOS side of things. I would assume that the IOS Routers will operate in the same fasion as the PIX's and just recreate the VPN session.

Regards,

-Joshua