cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
446
Views
0
Helpful
2
Replies

VPN3020 failover

andrler
Level 1
Level 1

Hi,

I've recently "syncronised" the configuration of our 2 3020 boxes using http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2284/products_tech_note09186a008050643e.shtml

The only differences I can see in the config now is the IP addressing, hostnames, and master/backup1. However, during a failover test, none of our remote VPN3002 hardware clients will establish connection to the secondardy concentrator when it is active. L2L sessions do come up however. Just the remote sessions from the HW clients fail.

Any help would be great.

Thanks,

Andy.

2 Replies 2

bstremp
Level 2
Level 2

The Backup LAN-to-LAN feature lets you establish redundancy for your LAN-to-LAN connection. Unlike VRRP, which provides a failover for the VPN Concentrator, Backup LAN-to-LAN provides a failover for the connection itself. Although VRRP and Backup LAN-to-LAN are both ways of establishing continuity of service should a VPN Concentrator fail, Backup LAN-to-LAN provides certain advantages that VRRP does not.

You can configure Backup LAN-to-LAN and load balancing on the same device, but you cannot configure VRRP and load balancing on the same VPN Concentrator.

Redundant Backup LAN-to-LAN peers do not have to be located at the same site. VRRP backup peers cannot be geographically dispersed

Thanks for the responce. Though with VRRP, when the concentrator fails, the secondary takes over the VRRP address, which all the HW clients are peered to, thus they should be able to re-establish the VPN. I would imagine this is a reasonably common setup so I'm a little baffled as to why it's not working since the configs are essentially identicle. Perhaps a certificate issue?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: