Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
431
Views
0
Helpful
2
Replies

PIX with VPN failover

apriore685
Level 1
Level 1

‎03-26-2004 05:16 PM - edited ‎02-21-2020 01:05 PM

Hello

I have an upcomming project that has to deal with setting up a 2nd pix for the purpose of VPN failover. The exsisting firewall is configured and has a working VPN config. The customer would like a 2nd firewall setup for redundant VPN connections. Hence if the first firewall fails for any reason the second firewall will become active and resume VPN connections. Is this possible? If so can you possibly provide config examples.

Thanks in advance

Labels:
0 Helpful
2 Replies 2

jsivulka
Level 5
Level 5

‎04-01-2004 09:41 AM

Setting up IPSec VPN with a PIX which is part of a failover pair is possible. The configuration for IPSec is the same as when the PIX is not in the failover pair. However, with failover configured, the PIX does not replictate the ISAKMP and the IPSec SA tables to the Secondary PIX on failover. The remote end continues to send packets using the negotiated SA's. Thus you could end up without a tunnel for quiet some time after failover. The workaround is to clear the SA's manually. A better option is to use the command 'crypto isakmp keepalive' to enable automatic dead peer detection. The only requirement is that both the devices must support this.

0 Helpful

apriore685
Level 1
Level 1
In response to jsivulka

‎04-01-2004 10:47 AM

Thanks for the advice. Do you happen to know of any white papers showing this.

Thanks

Anthony

0 Helpful
Customers Also Viewed These Support Documents