[c-nsp] No VPNs with Active/Active?!
Jeff Kell
jeff-kell at utc.edu
Tue Mar 7 21:51:36 EST 2006
Joseph Jackson wrote:
> VPNs work only in single, routed mode. VPN functionality is unavailable
> in configurations that include either security contexts, also referred
> to as multi-mode firewall, or Active/Active stateful failover.
>
>
> I was hoping this is a typo as I just don't want to believe you can't
> use the PIX as a VPN device in the Active/Active config.
Unfortunately that is correct. Nor can you run a routing protocol in
active/active.
And active/active does not mean load sharing.
The initial literature hinted that you could have load-sharing VPN
active/active and the whole nine yards, but such is not the case.
You can have multiple contexts, each context can have an active/standby
instance split across the active/active pair, but only *one* active side
per context at any given time. You can assign the 'active' side of each
context to either of the pair.
It is VERY VERY confusing :-) I'm still trying to nail down all the
little peculiarities.
They may address the VPN limitation in a future software revision, but
right now it's a definite NO.
Jeff
More information about the cisco-nsp
mailing list