12-08-2002 05:30 AM - edited 02-20-2020 10:25 PM
Hi all!
If I use two firewalls in redundant configuration and the PIX terminates IPSec, do the active and standby PIX replicate IPSec and IKE session information (spi number, actual DES key, packet sequence, ...) or in case of the active PIX fails does the standby pix (that goes active) reinitialize the IPSec/IKE connection with the remote peer?
12-08-2002 06:34 AM
Hi,
Have a look at this URL:
Somewhere in the text you will find this:
What information is not replicated to the Standby PIX Firewall:
-The HTTP connection table
-The user authentication (uauth) table
-The ISAKMP and IPSec SA table
-The ARP table
-Routing information
Kind Regards,
Tom
12-08-2002 06:57 AM
Thanks.
It means that the standby PIX (just has went active) will renegotiate the IKE and IPSec sessions. Does the remote side (in case of PIX and in case of IOS)accept it? It gets a packet with the same source address and will see that this PIX has forgotten the SAs and wants to renegotiate it...
12-09-2002 10:30 AM
If your secondary PIX ever becomes active when you have established IPSec connections to your primary PIX, the secondary will attempt to re-establish itself with each peer you have configured.
I haven't run into any problems with PIX to PIX VPN sessions after a failover, but results may vary in the IOS side of things. I would assume that the IOS Routers will operate in the same fasion as the PIX's and just recreate the VPN session.
Regards,
-Joshua
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide