VPN3020 failover

Unanswered Question
Aug 16th, 2007
User Badges:


I've recently "syncronised" the configuration of our 2 3020 boxes using http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a008050643e.shtml

The only differences I can see in the config now is the IP addressing, hostnames, and master/backup1. However, during a failover test, none of our remote VPN3002 hardware clients will establish connection to the secondardy concentrator when it is active. L2L sessions do come up however. Just the remote sessions from the HW clients fail.

Any help would be great.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
bstremp Wed, 08/22/2007 - 14:21
User Badges:

The Backup LAN-to-LAN feature lets you establish redundancy for your LAN-to-LAN connection. Unlike VRRP, which provides a failover for the VPN Concentrator, Backup LAN-to-LAN provides a failover for the connection itself. Although VRRP and Backup LAN-to-LAN are both ways of establishing continuity of service should a VPN Concentrator fail, Backup LAN-to-LAN provides certain advantages that VRRP does not.

You can configure Backup LAN-to-LAN and load balancing on the same device, but you cannot configure VRRP and load balancing on the same VPN Concentrator.

Redundant Backup LAN-to-LAN peers do not have to be located at the same site. VRRP backup peers cannot be geographically dispersed

andrler Wed, 08/22/2007 - 15:44
User Badges:

Thanks for the responce. Though with VRRP, when the concentrator fails, the secondary takes over the VRRP address, which all the HW clients are peered to, thus they should be able to re-establish the VPN. I would imagine this is a reasonably common setup so I'm a little baffled as to why it's not working since the configs are essentially identicle. Perhaps a certificate issue?


This Discussion