VPN concentrator VRRP.

Unanswered Question
Aug 15th, 2009

Dear All,



I have 2 vpn concentrator 3060 configured VRRP Master/Backup.

L2L is confiured in the concentrator .

Remote-offices Router/ASA is connected the Concentrator.

What will the configuration in the remoteoffice device? the peer-ip should be the VRRP IP?

we have to configure both vpn concentrator IP in the ASA/router.

eg:-set peer vrrrp ip of the Master

set peer ip of the backup.

Kindly advice me.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
subashmbi Mon, 08/17/2009 - 21:34

Hi Slamans,

I am following this documents..

My doubts are given below:-

1) In the backup concentrator what is the ""ROle"Master/Backup1.?

2) Vrrp IP ,i can use same physical ip for master or i have to configure seperate IP for VRRP?

3)Lan-Lan IPec will establish the VRRP IP?



slmansfield Tue, 08/18/2009 - 07:40

1) In the backup concentrator what is the ""ROle"Master/Backup1.?

The backup with a number after it is the precedence of that VPN concentrator in the VRRP group. It looks to me as though Backup1 is the highest precendence of the backup concentrators, followed by .2, .3, etc.

2) Vrrp IP ,i can use same physical ip for master or i have to configure seperate IP for VRRP?

On the Master system, the VRRP entries are the IP addresses configured on its Ethernet interfaces, and the Manager supplies them by default.

On a Backup system, the fields are empty by default, and you must enter the same IP addresses as those on the Master system.

3)Lan-Lan IPec will establish the VRRP IP?

If the Master fails, the Backup begins to service traffic formerly handled by the Master. This switchover occurs in 3 to 10 seconds. While IPsec and

Point-to-Point Tunnel Protocol (PPTP) client connections are disconnected during this transition, users need

only to reconnect without changing the destination address of their connection profile. In a LAN-to-LAN

connection, switchover is seamless.


subashmbi Tue, 08/18/2009 - 21:22

Dear Slams,

In that case, if we change the physical IP for the box with the same VRRP ip and tried connecting site to site VPN once again. it will work?



slmansfield Wed, 08/19/2009 - 05:36

If you are referring to the master concentrator, you can change the physical IP on that box, which will change the VRRP IP, which you will use on the backup concentrators and the remote peer address on your remote site gateways.

I would also clear the ARP caches on the other devices that share a network with the master concentrator.

subashmbi Wed, 08/19/2009 - 22:17

Hi Slmans,

Thanks for the update.

This comming sunday , i have this activity VPN concentrator VRRP.I am following the VRRP cisco doc..

I will update you.




This Discussion