RE: VPN Concetrator #3030 [7:58982]
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 There is like a failover setting in the 3002 hardware client. The software client needs to dial in again, the second/backup ip. Martijn - -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Namens neil K. Verzonden: woensdag 11 december 2002 18:16 Aan: [EMAIL PROTECTED] Onderwerp: VPN Concetrator #3030 [7:58982] Hi All, Few questions regarding the VPN Concentrator 1. what do I do for Redundancy, ( VPN Redundant Bundle) 2. Load balancing 3. Where to put the Concentrator ( prefer putting the VPN Concetrator behind Firewall).What are issues I will have to consider if I put the concentrator behind Firewall. Thanks, Sunil Version: PGP 8.0 iQA/AwUBPi3Irndq56XWk+VyEQLceQCgxuZ/wMidJNS1cvEC71ERrjRJDwcAn1h4 GfDWR3RKOJKORSoieVp4UEj6 =gMi+ -END PGP SIGNATURE- Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=61522&t=58982 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Concetrator #3030 [7:58982]
Responses in line 1. what do I do for Redundancy, ( VPN Redundant Bundle) It runs VRRP for concentrator redundancy. For user sessions you make a cluster using VCA under "Configuration | System | Load Balancing". For redundancy on LAN to LAN tunnels its much harder.. They way the concentrator does lan to lan, you have to configure the lan to lan tunnel with the IP of who the peer is going to be speaking to. Also the VRRP master IP MUST be the main concentrators, ip's. This means you need to take the backup concentrator offline (the vrrp slave), change its ip's to the primaries, and configure the lan to lan rules WHILE its using the master's IPs. This is so it will have a correct SA database stored in its config. You then change its ip's back to the ones it uses while its a backup. Put in back online with the different ip's and continue vrrp. Just be careful not to change any lan to lan configs while the slave is using its main ip's. When the primary fails the slave assumes the master's ips for ipsec related protocols. http admin still works using the slave ip's. I wish cisco would come up with a way to replicate the config over the wire ? Any one from cisco care to join in 2. Load balancing See above. 3. Where to put the Concentrator ( prefer putting the VPN Concetrator behind Firewall).What are issues I will have to consider if I put the concentrator behind Firewall. You can do either. If its behind a firewall you need to open IP Protocol 50 (ESP) and UDP port 1 (IPSEC/UDP). This is what the concentrator needs out of the box. You may also need to open TCP ports, if you run IPSEC/TCP for your pat users. I would put the concentrator behind the fw, for protection from dos attacks and similar stuff that is possible. One caveat is to make sure you dont run nat on the VPN concentrator (i.e. use public ip's behind your FW) the concentrator DOES NOT like double nat, even with the new 3.6 Code which supposedly provides "IPSec over NAT-T". Tested it, still works best with public IP's everywhere.. Maybe pat at the remote side. Thanks, Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59006&t=58982 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: VPN Concetrator #3030 [7:58982]
I have just finished a project like this. You can only do one or the other you can't do redundant and load balancing all at once on the 3030. If you want to be redundant where if one concentrator fails secondary comes online and accepts request for it then you need to look into VRRP so easy to do on the concentrator. If you want to do load balancing then you will need to go to configuration, system, load balancing page on the concentrator and set those options real easy also but Cisco has tons of docs on CCO explaining it if you are not familiar. Now in load balancing mode it is sort of redundant, because what happens; based on cpu usage of your concentrators you have a master and slave the master will send a redirect to the client and tells the client which concentrator to connect to and if one fails then the other accepts all the connections so what you have is if 100 connections are on the master and the slave only has 50 connections more than likely the next connection to come in will go to the slave. There is a myth that it round robins the connections that is NOT true. There are also a few gotchas with this and arp and such like if you are going to be giving out different ip address for your dial in users than what subnet the concentrator is on then you will have to route traffic from your internal network to the interface of the concentrator because it does not answer arps for those clients, (hope I did not confuse you with that last statement). If you are going to put the concentrator behind a firewall make sure you pass all appropriate vpn traffic without filtering, such as port 50 port 51 port 500 to the concentrator. That should get you started in the right direction if you have any more DIRECT questions please let us know and we will try to help you out, if I missed anything I am sure someone else on the group will pick it up. -Original Message- From: neil K. [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 11, 2002 12:16 PM To: [EMAIL PROTECTED] Subject: VPN Concetrator #3030 [7:58982] Hi All, Few questions regarding the VPN Concentrator 1. what do I do for Redundancy, ( VPN Redundant Bundle) 2. Load balancing 3. Where to put the Concentrator ( prefer putting the VPN Concetrator behind Firewall).What are issues I will have to consider if I put the concentrator behind Firewall. Thanks, Sunil Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=59002&t=58982 -- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]