Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
988
Views
0
Helpful
3
Replies

Redundancy options for IOS CA?

alec.waters
Level 1
Level 1

‎08-05-2005 01:54 AM

Hi,

I have an IOS CA that serves a VPN made up of two 3845s at the headend and a number of PIX501s at remote sites. The CA is running on one of the 3845s. I'm using an HSRP address as the IPSec peer address on the PIXes (IPSec stateless failover), so that (theoretically) a failure of one of the 3845s won't affect the VPN too much. It seems to work pretty well - if I take the "active" 3845 offline, the VPN connections fail over to the second box.

However, I have a problem if the CA router is offline. If a PIX is switched on or reloaded, it doesn't have the CRL. In this case, VPN authentication will fail because the CRL (fetched via SCEP from the CA) can't be retrieved.

Is there any way I can use the second 3845 as a "backup" CA? Could I configure it as a subordinate CA or something? Then maybe I could use the HSRP address for enrollment (and therefore also CRL retrieval), so the CRL was always available even if the root CA router is offline?

many thanks,

alec

Labels:
0 Helpful
3 Replies 3

smahbub
Level 6
Level 6

‎08-10-2005 10:51 AM

As far as I know currently the feature of having a primary and secondary IOS CA server is not supported.

0 Helpful

todd.gann
Level 1
Level 1

‎08-10-2005 01:37 PM

I have talked about this with one of our Cisco reps and

he said there is not currently away to "cluster" the IOS CA. He did mention storing the CA related files on the removable flash and moving that to the other router when there is a failure in the primary. This would obviously not be automated, but could help provide some redundancy at the CA level. I have not migrated to the IOS CA for this reason. I still use a Windows CA.

0 Helpful

alec.waters
Level 1
Level 1
In response to todd.gann

‎08-11-2005 02:05 AM

Hi,

I have plans in place for CA restoration, but in some circumstances this won't help me. It's all down to CRL availability.

We have a primary site and a backup site. My PIX501 clients have their crypto maps configured with peer IP addresses at both. ACLs are used at the primary and backup sites to control which one the PIXes connect to, as the PIX doesn't support a "preferred" IPSec peer like the routers do.

If the primary site fails, the ACLs at the backup site are altered manually to allow IPSec connections to me made. The PIX501 clients fetch the CRL via SCEP, because that's the only way they can do it (AFAIK!). However, I think they're going to try to get the CRL from the primary site, which is unavailable.

I guess what I'm really after is CRL redundancy, not CA redundancy.

Does anyone have any ideas?

thanks,

alec

0 Helpful
Top