Solved

Dead Peer Detection - will remote PIX reconnect ?

Posted on 2003-11-09
5
2,008 Views
Last Modified: 2013-11-16
Hi all,

Well, time for me to ask a question. I've done the reasearch and can't find the answer anywhere and I don't yet have any practical experience in this situation (PIX failover).

I have a PIX 515 that is going to be upgraded to a pair of 515E's in a failover configuration. There are approximately 150 PIX 501's that each connect a VPN tunnel back to the 515 (this situation is a retail store chain, hence the large number of remote sites). I know that even with stateful failover, the IPSec information will not failover to the backup PIX 515E.

My question is, with Dead Peer Detection (isakmp keealives) will the remote 501's attempt to reconnect after they stop receiving a response to their keepalive packets ? I want the situation that if a failover occurs, then all of the store 501's will automatically attempt to reconnect again and so that when they do this, it will be to the standby PIX.
0
Comment
Question by:td_miles
  • 3
  • 2
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 9714828
You're in luck. In a failover pair, if the primary fails, the secondary takes on the complete identity of the primary. Therefore, there is only one external IP address for the remotes to connect to. The VPN tunnels will be preserved.
0
 
LVL 13

Author Comment

by:td_miles
ID: 9718911
Can you point to any source of information that indicates that the VPN tunnels will be preserved ? All of the material I found says that the VPN tunnels are NOT replicated to the standby unit. The following is from IOS 6.2, so unless they changed it in 6.3, It isn't any different. EG:

-----------------------------
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/failover.htm

What information is replicated to the standby PIX Firewall on Stateful Failover?
* The configuration.
* TCP connection table including timeout information of each connection.
* Translation (xlate) table.
* System up time; that is, the system clock is synchronized on both PIX Firewall units.

What information is not replicated to the standby PIX Firewall on Stateful Failover?
* The user authentication (uauth) table.
* The ISAKMP and IPSec SA table.
* The ARP table.
* Routing information.
-----------------------------

So the situation I would have after failover the 515E that was now active (the failover unit) would not have all of the VPN endpoints on it (ISAKMP & SA tables). The 501's would still think that it should, as the IP address would not have changed (part of failover). So the question still stands, will the 501's be able to automatically re-connect the tunnels (ie. they will need to sense that the 515E at the other end has dropped the tunnel and so then they can initiate it again).
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 400 total points
ID: 9719115
I know I read somewhere that they were going to extend the stateful failover to the VPN, but I can't find the document.. it might be in 6.4 (to be released tbd). Even 6.3

----------------------------------
Stateful Failover—During normal operation, the active unit continually passes per-connection stateful information to the standby unit. After a failover occurs, the same connection information is available at the new active unit. Supported end-user applications are not required to reconnect to keep the same communication session.
The state information passed to the standby unit includes:

NAT translation table
TCP connection states
H.323, SIP, and MGCP UDP media connections
----------------------------------
What information is not replicated to the standby PIX Firewall on Stateful Failover?
The user authentication (uauth) table.
The ISAKMP and IPSec SA table.
The ARP table.
Routing information.
Other UDP connections.
----------------------------------
Even though the ISAKMP state is not maintained, the tunnel is re-created on the fly.
From experience, the VPN tunnel will automatically re-build itself almost instantly. I have several PIX failover pairs with permanent LAN-LAN VPN tunnels. I've never had a problem.
To test it out, simply power off the PIX, then power it back on. You broke the VPN connections, the state was certainly not maintained during power off, and the tunnels are rebuilt almost instantly. The same thing happens on a failover. It just works..
0
 
LVL 13

Author Comment

by:td_miles
ID: 9719373
You're right, I hadn't thought of it like that. Unfortunately, I don't have a failover pair to try it on (yet), but I tried it on another VPN tunnel and it did come back up almost immediately once there was traffic over it (after a reload of the PIX at one end).

Just wanted to make sure before I say "yep, it will all be fine"
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 9719404
<8-}

0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network Infrastructure for Branch Office 16 95
How VPC help preventing STP Loops 4 95
CCNA lab 6 34
Cisco 3800 series and WISM2 1 13
If you have an ASA5510 then this sort of thing would be better handled with a CSC Module, however on an ASA5505 thats not an option, and if you want to throw in a quick solution to stop your staff going to facebook during work time, then this is the…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question