Doing currently a failover installation with two 5510 on both sides so there will be four devices altogether. Seems like there was some kind of not planning things good enough.
The customer situation is, there we have two leased lines that are direct connections from one site to the other.Both leased lines are direct connected from site to site. So the idea was to make a failover config with both firewalls in an active/active failover configuration.
But the pitfall was, that the traffic has to be encrypted over a site-to-site vpn tunnel. But active/active you have to configure in multiple context mode. And multiple context mode does not have ipsec available. So in multiple context mode, you can not configure any vpn’s.
So then you have only active/standby. There’s acatch also. If you configure active/standby and both end’s are active, everthing is ok. But if one side goes standby and the other side is still active because the „monitored“ interface is just working fine, this will be a dead lock. Neither side will match and the tunnel will not come again.
It would be a great advantage if you could track or monitor the tunnel interface. Then you could switch from active to standby if the tunnel is no longer available.
Small diagramm:
fw1(active) — leased line(vpn) — fw3(active)
fw2(standby) — leased line(vpn) — fw4(standby)
active/active does also not real load balancing. You can switch the different vlan’s over both leased lines, so that the traffic is about the same amount.
The better solution for such a szenario is, if possible, two routers with vpn and VRRP/HSRP and OSPF/EIGRP. So you can to real load balancing and also can have both lines active.