[c-nsp] No VPNs with Active/Active?!

Jeff Kell jeff-kell at utc.edu
Tue Mar 7 21:51:36 EST 2006


Joseph Jackson wrote:
> VPNs work only in single, routed mode. VPN functionality is unavailable
> in configurations that include either security contexts, also referred
> to as multi-mode firewall, or Active/Active stateful failover. 
>
>
> I was hoping this is a typo as I just don't want to believe you can't
> use the PIX as a VPN device in the Active/Active config. 

Unfortunately that is correct.  Nor can you run a routing protocol in
active/active.
And active/active does not mean load sharing.

The initial literature hinted that you could have load-sharing VPN
active/active and the whole nine yards, but such is not the case.

You can have multiple contexts, each context can have an active/standby
instance split across the active/active pair, but only *one* active side
per context at any given time.  You can assign the 'active' side of each
context to either of the pair.

It is VERY VERY confusing :-)  I'm still trying to nail down all the
little peculiarities.

They may address the VPN limitation in a future software revision, but
right now it's a definite NO.

Jeff



More information about the cisco-nsp mailing list