Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
367
Views
0
Helpful
3
Replies

Feedback for VRRP failover wanted.

cairnsm
Level 1
Level 1

‎02-06-2003 01:13 PM - edited ‎03-09-2019 02:00 AM

Getting ready to install a second 3030 concentrator for redundancy. Has anyone noted any issues with recovering lan-to-lan tunnels during failover? Any particulars that need to be checked such as ipsec lifetime for the SA? Do remote endpoints even see the failure / force to renogotiate, or does the secondary concentrator simply assume the connection. Any details of the process beyond the shared IP/MAC are appreciated as I can't take my primary out of production for more complete testing.

Thanks,

Mark

Labels:
0 Helpful
3 Replies 3

engel
Level 2
Level 2

‎02-08-2003 06:37 AM

Hi,

We have completed two installations with VPN3000`s VRRP. The following are issues with VPN3000`s VRRP design:

1. The failover is NOT transparent from the VPN Client. If the Master is down, the client has to disconnect and reconnect again. It means that the user has to click the disconnect button and click the connect button.

2. The CONFIG file has to be manually synchronized between the Master and the Standby device. There is no automate update of the CONFIG if you changes some parameters at the Master.

The above two issues are my main concern. Hopefully Cisco would address these issues. If anyone has other issues, kindly share here.

Regards,

Engel

0 Helpful

chuck007
Level 1
Level 1
In response to engel

‎05-27-2003 02:27 PM

How about the LAN-to-LAN... any thing special there? According to the latest manual, it takes about 3 to 10 seconds to automatically switch over. However, I wonder if this is a statefull failover, keeping the TCP sessions alive while it switches?

--Chuck

0 Helpful

cairnsm
Level 1
Level 1
In response to chuck007

‎05-28-2003 07:09 AM

Chuck, the failover of these units worked very well in our situation. Keep in mind that they are not keeping a stateful layer 4 table like a PIX, only providing the end point for your tunnel. The need to establish new TCP sessions will depend on the hosts at each end and specific application resiliance to timing issues.

RFC 2338 explains the timing for VRRP failover.

Mark

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents