Setting Up a Second Tunnel with Additional Pix's

[yarym]

Hello! We have a PIX 506 in 2 of our offices and we have a PIX-to-PIX tunnel. Management decided that we needed backup for our connection and installed cable modems to back up our T1's. Since 506 has only 1 interface, We can't use the cable connection to backup existing tunnel. So management has decided to buy 2 new cheaper 501's and create a seperate backup tunnel. They will also add the backup firewall as a second gateway with higher cost. Now this sounds like this will work, except I'm not sure how it will failover. If one T1 dies, but the other one is still up, will it failover properly? I'm not sure what will happen if traffic goes out on the backup tunnel, will it try to come back on the primary tunnel and never get to backup tunnel? Please help

 

[themut]

No it won't as the PIX firewalls will have different IP addresses. So if one T1 fails the other side will still route through the 506 due to the higher cost and since it doesn't have the proper config for the backup tunnel it will fail. Besides, if the main tunnel goes down, negotiations will occur for the new backup tunnel so it will not fail to the other transparently.

 

[yarym]

Ok, but if two machines on both sides of the tunnel have 2 gateways, and if the first tunnel is down, wouldn't that computer try the second gateway which will lead to the second tunnel???

 

[themut]

The first gateway is operational so the machine will send the packets there.

 

[yarym]

So any advise on how I can make this work?

 

[themut]

The 501s don't support OSPF so I think you are out of luck. Maybe someone else has a suggestion but none ocurr to me for your hardware at this time.

 

[Glen01]

yarym,

To repeat what you state in the beginning, the second gateway with a higher cost. This will mean if one side will fail, messages are not being delivered, the next route with higher cost will become active and this will be used until the low cost route becomes avaiable again. This will cause the traffic to be routed back to the lower cost route.

 

[themut]

Assuming proper routing is configured, if one side goes down then the lower cost route will become active on this side. Unencrypted packets will use this new route and they will be sent to the other side.

On the othe side, the higher cost route is still valid so it will never use the lower cost route. Unencrypted packets from the other side will be received but not the IPSec protected packets, since the tunnel went down. Now, since traffic is flowing through the 506 on this side (higher cost route still valid) the backup tunnel will not be negotiated since the tunnel is configured between the remote peer (506 down), which at this time is unavailable, and the 506 at this site. Hope my explanation makes sense.

 

[yarym]

Lets try something else. My PIX 506 Outside interface is connected to a Cisco 2600 Router for the T1. On the Router, I can set up another route with higher cost as backup. Will that mean that if T1 will go down, there will still be communication between the 2 firewalls?

 

[themut]

You got that one right! Under that setup the 501s are not needed since the two links to the Internet will connect to the 2600 router.

 

[Glen01]

floting point route, the PIX is a layer 3 device.

 

[yarym]

Thanks for the advise. The only thing though, will the 2 PIXs be able to negotiate the tunnel if it comes in on a different IP address. It might still get to the router, but now its to or from a different IP. I'm also just thinking of adding ISDN to the 2 Routers. Will that work? I never used ISDN and not sure how to even configure it.