08-14-2006 11:24 AM - edited 02-21-2020 02:34 PM
Hi,
How do i enable Site-Site Tunnel redundancy on PIX,so that if one of the peer is not responding,the tunnel gets established with the second configured peer.
I read about configuring multiple peers with the crypto map command:
crypto map redundant 10 set peer 1.1.1.1
crypto map redundant 10 set peer 1.1.1.2
Will this work ?
If the first peer comes back online,will the VPN tunnel move over?
Whats the best way.
Iam running PIX version 6.3
Thanks!
08-14-2006 11:36 AM
multiple peers would be the way to go. You could also configure Deed Peer Detection (DPD) to speed up the failover.
isakmp keepalive 30 [interval] 5 [retry]
It does not have a failback feature.
You could shorten the lifetime so the tunnels don't last as long and start back at the top of the peer list.
08-14-2006 01:05 PM
Thanks ! this is what i was looking for.
I guess i need to:
1. Remove the crypto Map
2. Modify it
3. Reapply
in that order.But that would affect my other connections as well.Is there any safe way out?
Regards
RPS
08-14-2006 03:36 PM
You can add the changes without removing the crypto map. Then schedule to manually clear the tunnel off hours. When the tunnel rebuilds it will have the new setttings.
Clear tunnel:
conf t
clear crypto isa sa
clear crypto ips sa
Thanks,
Chad
Please rate posts if they help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide