From: Guyler, Rik (rguyler@shp-dayton.org)
Date: Wed Apr 05 2006 - 11:12:43 GMT-3
Thanks for the reply. Stateful failover would be nice but I don't consider
it necessary. If the SAs had to be rebuilt on the backup router than that
would happen dynamically and within seconds so the worst case scenario is
something would have to be retransmitted or reconnected.
We'll see. I haven't ruled out the ASA boxes yet but they aren't at the top
of the list. Some of the newer IOS supports SSO failover for IPSEC but
unfortunately not on a 3600 series. I would have to buy to new 3800
routers. Oh darn... ;-)
Rik
-----Original Message-----
From: Alexei Monastyrnyi [mailto:alexeim@orcsoftware.com]
Sent: Wednesday, April 05, 2006 9:50 AM
To: Guyler, Rik
Cc: 'ccielab@groupstudy.com'
Subject: Re: OT: VPN redundancy
Hi.
The problem with redundancy with HSRP+VRRP that it is not a stateful
failover, i.e. if primary fails, secondary has to rebuild tunnels anyway. I
don't know if it is critical for you.
With PIX (and most probably ASA) you have a stateful failover over dedicated
LAN interface. I have 2 PIX 515E in failover mode with 7.1.1 on primary and
7.1.2 secondary. Have a plane to restart the primary to activate 7.1.2 which
is on flash now.
Documentation claims that 7.1 has a VPN stateful failover. 7.0 had really
buggy failover in general, you can have a look at bug fixes.
Let's see if stateful failover for VPN works in 7.1. Will post results as it
happens.
A.
on 05/04/2006 15:28 Guyler, Rik wrote:
> I currently have a 3660 router that terminates nearly 25 vendor VPN
tunnels.
> These tunnels are considered mission critical to our hospital
> operations and so an outage of much duration would be a hardship.
> Even with a 4-hour SmartNet it could take several hours to get this back
up and running.
>
> I'm looking at various redundant setups so I could lose this router
> and still maintain connectivity. Here are the options I have
> considered so far in order of preference:
>
> 1) add a second router and setup HSRP/VRRP on both the inside and
> outside interfaces and terminate the tunnels to the virtual address on the
outside.
>
> 2) setup a pair of ASA5500s and setup failover
>
> 3) setup a second router and build secondary tunnels to each vendor
>
> I like the sound of number one the best but not sure if it will work.
> I'll lab it up to verify that unless somebody can say for sure it
> won't work. I really don't want to move over to the ASA boxes...I
> just love VPN on routers. Secondary tunnels would require a lot of
> work and time so that's really the last option.
>
> Does anybody know of any other possible solutions to throw in the mix?
> Even some outrageous ideas might be fun to try and who knows...might just
work.
> I'm open to any ideas or suggestions at this point!
>
> Thanks!
>
> Rik
>
> ______________________________________________________________________
> _ Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Mon May 01 2006 - 11:41:56 GMT-3