24-49
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
Configuring High Availability in Your VPN Topology
Use the High Availability page of the Create VPN wizard and Edit VPN dialog box to define a group of
hubs as a high availability (HA) group. Configuring high availability is optional.
For information on opening the Create VPN wizard or Edit VPN dialog box, see Creating or Editing VPN
Topologies, page 24-28.
High Availability (HA) policies provide automatic device backup when configured on Cisco IOS routers
or Catalyst 6500/7600 devices that run IP over LANs. You can configure high availability in a
hub-and-spoke VPN topology that uses Regular IPsec or Easy VPN technologies.
In Security Manager, HA is supported by an HA group made up of two or more hub devices that use Hot
Standby Routing Protocol (HSRP) to provide transparent, automatic device failover. By sharing a virtual
IP address, the hubs in the HA group present the appearance of a single virtual device or default gateway
to the hosts on a LAN. One hub in the HA group is always active and assumes the virtual IP address,
while the others are standby hubs. The hubs in the group watch for hello packets from active and standby
devices. If the active device becomes unavailable for any reason, a standby hub takes ownership of the
virtual IP address and takes over the hub functionality. This transfer is seamless and transparent to hosts
on the LAN and to the peering devices.
Keep the following points in mind when working with HA groups:
• You can configure High Availability only on hubs in a hub-and-spoke VPN topology that uses
Regular IPsec or Easy VPN technologies.
• You can configure high availability only on Cisco IOS routers or Catalyst 6500/7600 devices;
however, an HA group cannot contain both Cisco IOS routers and Catalyst 6500/7600 devices.
• If you want to configure stateful failover, the HA group can contain only two hubs, and they must
be Cisco IOS routers. You cannot use Catalyst 6500/7600 devices.
• You cannot configure High Availability on hubs that have been configured with VRF-Aware IPsec.
See Understanding VRF-Aware IPsec, page 24-14.
• You cannot configure GRE on an HA group.
• A device in an HA group can belong to more than one hub-and-spoke topology.
• A device configured as a hub in a site-to-site VPN with an HA configuration cannot be configured
as a hub in a different site-to-site VPN with an HA configuration using the same outside interface.
Similarly, such a device cannot be configured as a remote access VPN server on which HA is
configured using the same outside interface.
Next Hop IP Address
(2-Box solution, static
routing only.)
The IP address of the Provider Edge (PE) or the interface that is
connected to the IPsec Aggregator, if you are using static routing.
Redistribute Static Route
(2-Box solution, non-static
routing only.)
Whether to have static routes advertised in the routing protocol
configured on the IPsec Aggregator towards the PE device.
Table 24-10 Edit Endpoints Dialog Box, VRF Aware IPsec Tab (Continued)
Element Description