config synchronization in a vpn cluster

Answered Question
Jan 12th, 2004
User Badges:

hi folks,

does somebody know how two vpn concentrators 3030 with VRRP enabled synchronize their configuration? I haven't found any docu yet. I assume that it works over VRRP advertisments. I do not believe that, if you configuring a new secure connection, you have to do the synchronisation on the Backup by hand. It must go automatic.

tks in advance

thomas

Correct Answer by jasobrown about 13 years 7 months ago

That is correct .. Synchronization does not happen over VRRP - you would have to configure the users on both concentrators or have central user authentication server(s) like ACS to authenticate to and then you would not have a problem.


You have to think of VRRP like HSRP .. you dont sync 2 router configs over HRSP... They are configured as back up devices.

Correct Answer by mikegallagher about 13 years 7 months ago

Yes, you have to configure both systems manually. We all feel your pain. In fact someone asked for the exact feature request you are looking for, shown in bug CSCdv88787. It was put in a looooong time ago and (obviously) still isn't implemented. So don't hold your breath.


HTH,


Mike

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
jasobrown Mon, 01/12/2004 - 09:20
User Badges:

Unless it has changed recently ...


The 3000's are configured manually tested that they can terminate the VPN connections and then VRRP added.

Thomas Brunsfeld Tue, 01/13/2004 - 01:08
User Badges:

so if you configure a new user on the Master system you have to do it on the BU as well? That's what I am thinking about, thus it is not a satisfied solution.

Correct Answer
mikegallagher Tue, 01/13/2004 - 07:58
User Badges:

Yes, you have to configure both systems manually. We all feel your pain. In fact someone asked for the exact feature request you are looking for, shown in bug CSCdv88787. It was put in a looooong time ago and (obviously) still isn't implemented. So don't hold your breath.


HTH,


Mike

jwmiller Tue, 05/31/2005 - 13:20
User Badges:

CSCdv88787 states "Rather than

have to manually pull the config and drop it into the VRRP peer's box." This suggests that there is a way to take the config from one VPN 3000 and drop it onto another without having to manually update each box in a VRRP cluster. Perhaps CSCdv88787 solves a different problem and it IS possible to use a file to synchronize a pair of VRRP'd 3000's? Can you clarify?

Correct Answer
jasobrown Tue, 01/13/2004 - 08:21
User Badges:

That is correct .. Synchronization does not happen over VRRP - you would have to configure the users on both concentrators or have central user authentication server(s) like ACS to authenticate to and then you would not have a problem.


You have to think of VRRP like HSRP .. you dont sync 2 router configs over HRSP... They are configured as back up devices.

Thomas Brunsfeld Tue, 01/13/2004 - 23:54
User Badges:

Tks guys, your statements are indeed helpfull and I am going to set the bug watcher on this mentioned bug, in hope that Cisco will implement this feature soon.

have a nice day

thomas

shannong Fri, 01/16/2004 - 15:24
User Badges:
  • Silver, 250 points or more

While you can't sync configs, you can alleviate the need to do so. Once the cluster is up and running, use external authentication using ACS.


Based on the group the user exists in ACS, ACS can tell the concentrator everything else about the user's session. Therefore, you only need to maintain one or two basic groups on the concentrators. This alleviates the concern about making changes to multiple concentrators for user groups. ACS supports clustered installs for itself and it will replicate its users and configurations to other ACS servers to provide load sharing and redundancy.


Besides having its own local groups, ACS can authenticate via LDAP or NT and check for that users membership in a group. Based on this, you can tell the concentrator what group they should belong to, what their filter/ACL is, encryption types allowed, timeouts, firewall rules, protocols allowed, etc. You can pass pretty much everything that can be configured in a concentrator group.



This should provide HA while also increasing user control and concerns about configuration management.


mikegallagher Fri, 01/16/2004 - 15:54
User Badges:

Yeah, but that doesn't help with L2L tunnels. You're typically in a set-it-and-forget-it situation with RA tunnels anyway.

Actions

This Discussion