Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
529
Views
0
Helpful
2
Replies

Client to Site VPN and Stateful Failover

steve_burton
Level 1
Level 1

‎11-16-2001 07:35 AM - edited ‎02-21-2020 11:30 AM

I am using stateful failover and when I failover from one PIX to the other VPN clients security associations are lost.

Does the PIX replicate sa information. It appears not however I suspect it should work.

Labels:
0 Helpful
2 Replies 2

russrice
Level 1
Level 1

‎11-16-2001 02:37 PM

The PIX does not yet share key material or SA material (IKE or IPsec) between devices. It is pipelined on the roadmap.

-- Russell Rice

0 Helpful

g-piche
Level 1
Level 1
In response to russrice

‎11-17-2001 06:59 AM

For the Pix or any other ipsec device to achieve statefull failover of the IPSec session would mean that they would have to share either the Session keys or the Diffie-hellman seed values. These are at the center of the ipsec algorithm and must be protected at all costs. If they share any of these values and they get compromised, the data can then be decrypted. I would rather give up statefull failover of the IPSec session than risk compromising the confidentiality of the data. Use Ike keep-alives, at least you will get fail-over, albiet not statefull.

Just my two cents worth.

0 Helpful
Customers Also Viewed These Support Documents