VPN between router and PIX failover doesn't work

dsamaan · ‎04-04-2003

I' running a VPN between a pair of PIX515E w/ 6.3.1 in LAN-based FO and a 1721 VPN router. My VPN tunnel is up and works fine both ways. I force a failover to the standby by pulling one of the cables on the Primary and the failover works fine and the VPN tunnel works. I'm testing via PING.

I have 2 isssues. 1) Ping resumes fine, but FTP or Telnet doesn't. 2) When I plug the ole Primary back in and force the failover back using "failover active", the Primary resumes as the "primary", but nothing works anymore, PING, Telnet, HTTP. Even if I stop the ping and re-initiate the ping it doesn't work.

The only way it will work is if I clear both the IKE and IPSEC SA's on the PIX and 1721 Router.

in my failover config I'm using LAN-based and configured used the 'failover mac address' command.

I've seen some cookbook configs were the command 'route-map' is on the vpn router, I don't have this configured on mine. Can't see why that would make a difference.

gfullage · ‎04-07-2003

Failover in the PIX does not support VPN failover, so your tunnels to the active PIX are not replicated to the standby. when the units fail over, the router still has tunnel's built and continues to send packets over them, but the newly active PIX doesn't know anything about them and will drop the packets. Clearing the tunnels on the router makes it initiate new tunnels and everything works fine after that. There is no workaround for this as yet, but IPSec failover is being talked about for a future release.

Best thing at the moment is to enable isakmp keepalives on both sides, so that when the tunnels do go down the router will discover it fairly quickly (rather than having to wait till the SA expiry timer) and will rebuild them to the newly active PIX.