Filter
Top Products
24-50
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 24 Managing Site-to-Site VPNs: The Basics
Creating or Editing VPN Topologies
• The same auto-generated preshared key must be used for authentication on all peers. If you specified
not to use this option when configuring a preshared key policy, this is overridden during
configuration of High Availability. For more information, see Configuring IKEv1 Preshared Key
Policies, page 25-44.
• During generation of configurations, all hubs in the HA group receive the same commands, which
must be deployed to the HA group as a unit. You cannot deploy to individual hubs in the group.
The following table describes the options for configuring high availability.
Table 24-11 High Availability Page
Element Description
Enable Whether to enable high availability configuration on a group of hubs. If
you already configured high availability, you can remove the
configuration by deselecting this option.
Inside Virtual IP The IP address that is shared by the hubs in the HA group and that
represents the inside interface of the HA group. The virtual IP address
must be on the same subnet as the inside interfaces of the hubs in the
HA group, but must not be identical to the IP address of any of these
interfaces.
Note If there is an existing standby group on the device, make sure
that the IP address you provide is different from the virtual IP
address already configured on the device.
Inside Mask The subnet mask for the inside virtual IP address.
VPN Virtual IP The IP address that is shared by the hubs in the HA group and
represents the VPN interface of the HA group. This IP address serves
as the hub endpoint of the VPN tunnel.
Note If there is an existing standby group on the device, make sure
that the IP address you provide is different from the virtual IP
address already configured on the device.
VPN Mask The subnet mask for the VPN virtual IP address.
Hello Interval The duration in seconds (within the range of 1-254) between each hello
message sent by a hub to the other hubs in the group to indicate status
and priority. The default is 5 seconds.
Hold Time The duration in seconds (within the range of 2-255) that a standby hub
will wait to receive a hello message from the active hub before
concluding that the hub is down. The default is 15 seconds.
Standby Group Number
(Inside)
The standby number of the inside hub interface that matches the
internal virtual IP subnet for the hubs in the HA group. The number
must be within the range of 0-255. The default is 1.
Standby Group Number
(Outside)
The standby number of the outside hub interface that matches the
external virtual IP subnet for the hubs in the HA group. The number
must be within the range of 0-255. The default is 2.
Note The outside standby group number must be different from the
inside standby group number.