Re: OT: VPN redundancy

From: Alexei Monastyrnyi (alexeim@orcsoftware.com)
Date: Wed Apr 05 2006 - 10:50:09 GMT-3

• Next message: Guyler, Rik: "RE: OT: VPN redundancy"
• Previous message: Administrator: "RE: VPN redundancy"
• Maybe in reply to: Guyler, Rik: "OT: VPN redundancy"
• Next in thread: Guyler, Rik: "RE: OT: VPN redundancy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi.

The problem with redundancy with HSRP+VRRP that it is not a stateful
failover, i.e. if primary fails, secondary has to rebuild tunnels
anyway. I don't know if it is critical for you.

With PIX (and most probably ASA) you have a stateful failover over
dedicated LAN interface. I have 2 PIX 515E in failover mode with 7.1.1
on primary and 7.1.2 secondary. Have a plane to restart the primary to
activate 7.1.2 which is on flash now.

Documentation claims that 7.1 has a VPN stateful failover. 7.0 had
really buggy failover in general, you can have a look at bug fixes.
Let's see if stateful failover for VPN works in 7.1. Will post results
as it happens.

A.

on 05/04/2006 15:28 Guyler, Rik wrote:
> I currently have a 3660 router that terminates nearly 25 vendor VPN tunnels.
> These tunnels are considered mission critical to our hospital operations and
> so an outage of much duration would be a hardship. Even with a 4-hour
> SmartNet it could take several hours to get this back up and running.
>
> I'm looking at various redundant setups so I could lose this router and
> still maintain connectivity. Here are the options I have considered so far
> in order of preference:
>
> 1) add a second router and setup HSRP/VRRP on both the inside and outside
> interfaces and terminate the tunnels to the virtual address on the outside.
>
> 2) setup a pair of ASA5500s and setup failover
>
> 3) setup a second router and build secondary tunnels to each vendor
>
> I like the sound of number one the best but not sure if it will work. I'll
> lab it up to verify that unless somebody can say for sure it won't work. I
> really don't want to move over to the ASA boxes...I just love VPN on
> routers. Secondary tunnels would require a lot of work and time so that's
> really the last option.
>
> Does anybody know of any other possible solutions to throw in the mix? Even
> some outrageous ideas might be fun to try and who knows...might just work.
> I'm open to any ideas or suggestions at this point!
>
> Thanks!
>
> Rik
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Guyler, Rik: "RE: OT: VPN redundancy"
• Previous message: Administrator: "RE: VPN redundancy"
• Maybe in reply to: Guyler, Rik: "OT: VPN redundancy"
• Next in thread: Guyler, Rik: "RE: OT: VPN redundancy"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:56 GMT-3