Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1249
Views
0
Helpful
5
Replies

Failover with VPN Concentrator

Go to solution
yogesh.suryawanshi
Level 1
Level 1

‎08-21-2010 11:59 PM

Hello All,

We have Single VPN concentrator which is single point of failure, hence need your help to mitigate the same

Topology diagram is attached

Site A & Site B.

Site B has internet Gateways where we have existing VPN box.

Planning to introduce VPN gateway at site A & place VPN concentrator there as well

Our design is as under

Connectivity between both locations & other office is managed by BGP.

Default route is pointed toward Internet Gateway.

Internet Segment Info.

·         We have SP Independent IP range

·         Failover between 2 SP at site  B is achieved using iBGP & eBGP

Challenge: VPN concentrator single Point of Failure (Cisco VPN Concentrator 3000)

Following are design goals

·         Introduce internet gateways at Site- A which will have Site gateway level redundancy

·         Place on VPN concentrator which will act as a failover between site

o   If site B vpn concentrator is down site A VPN box should take over all the traffic.

o   Replica of Site B active VPN concentrator

Is it possible to achieve above design goals.

Please help regarding VPN concentrator...How i can place VPN concentrator in failover mode ...Just like we do firewalls?

Please help

Labels:
Preview file
42 KB
0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-22-2010 12:19 AM

Hi Yogesh,

VPN Concentrator supports failover via VRRP. Please find the following document for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094490.shtml

In regards to adding failover for VPN Concentrator, do you happen to have a spare VPN Concentrator to run VRRP?

Not sure if you know, however, VPN Concentrator is now end of life, and the last ship date was November 2007, hence you will not be able to purchase VPN Concentrator anymore.

Here is the EOL notificatin for your reference:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

View solution in original post

0 Helpful

Go to solution
Atri Basu
Cisco Employee
Cisco Employee
In response to yogesh.suryawanshi

‎08-22-2010 06:17 AM

Hey Yogesh,

The ASA has replaced the concentrator as a VPN headend. You will find more information regarding product migration here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html#wp9000247

Regards,

Atri.

View solution in original post

0 Helpful

Go to solution
Atri Basu
Cisco Employee
Cisco Employee
In response to yogesh.suryawanshi

‎08-22-2010 06:57 AM

Hey Yogesh,

For ASA's you have to configure failover not VRRP. And yes you can use lan bases failover. You will find more information regarding this at the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#lanbas

The distance shouldn't be a problem.

Also you should be able to rate the message if you are signed in.If you are signed in and still not able to rate a message then drop a not to the forum moderator.

Regards,

Atri

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎08-22-2010 12:19 AM

Hi Yogesh,

VPN Concentrator supports failover via VRRP. Please find the following document for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094490.shtml

In regards to adding failover for VPN Concentrator, do you happen to have a spare VPN Concentrator to run VRRP?

Not sure if you know, however, VPN Concentrator is now end of life, and the last ship date was November 2007, hence you will not be able to purchase VPN Concentrator anymore.

Here is the EOL notificatin for your reference:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

0 Helpful

Go to solution
yogesh.suryawanshi
Level 1
Level 1
In response to Jennifer Halim

‎08-22-2010 05:10 AM

This is very useful information...

But I am unlucky here.....we don’t have another vpn concentrator? But Yes....VRRP can be used in my other office where we have another concentrator...which is they are using a cold standby...

As it EOS...which device has replaced concentrators with similar features...

Note : I am not able to rate the post using star buttons : how do i rate it..

Regards

Yogesh

0 Helpful

Go to solution
Atri Basu
Cisco Employee
Cisco Employee
In response to yogesh.suryawanshi

‎08-22-2010 06:17 AM

Hey Yogesh,

The ASA has replaced the concentrator as a VPN headend. You will find more information regarding product migration here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html#wp9000247

Regards,

Atri.

0 Helpful

Go to solution
yogesh.suryawanshi
Level 1
Level 1
In response to Atri Basu

‎08-22-2010 06:37 AM

Hi,

Thanks for advising device.

I have sites which have distance of mainly between 35-40 km connectivity via Metro Ethernet links...

Is it possible to run two ASA parallel between such distance likewise it is with VPN concentrator (using VRRP  or other technology)?

If yes how failover would work...Is it like normal firewall / asa we keen in same rack?

Regards

Yogesh

0 Helpful

Go to solution
Atri Basu
Cisco Employee
Cisco Employee
In response to yogesh.suryawanshi

‎08-22-2010 06:57 AM

Hey Yogesh,

For ASA's you have to configure failover not VRRP. And yes you can use lan bases failover. You will find more information regarding this at the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#lanbas

The distance shouldn't be a problem.

Also you should be able to rate the message if you are signed in.If you are signed in and still not able to rate a message then drop a not to the forum moderator.

Regards,

Atri

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents