In order to provide complete redundancy for VPN Users we have implemented 2 Concentrator 3030 devices in the following configuration.
VPN Unit 1:
Virtual Cluster IP: 184.108.40.206
VPN Unit 2:
Virtual Cluster IP: 220.127.116.11
1. If the inside interface on Unit 1 fails, will the users be redirected to Unit 2?
Assuming we had redundant Catalysts and Unit 1 was plugged into Catalyst 6509-1 and Unit 2 was plugged into Catalyst 6509-2. If 6509-1 fails, the ideal situation would be for users to reconnect and establish a session with Unit 2. How would this work?
2. We are also Doing Lan-Lan session that are all currently directd to VPN Unit 1. We would like to move some to Unit 2. The other end is IOS routers. I know that you can specify multiple peers and the router will automatically connect to the first peer available. This is good, because if Unit 1 fails then the Lan-Lan tunnels would be rebuilt to Unit 2. HOWEVER, the return route in the 6509 MSFC points to Unit 1's inside interface. Therefore if Unit 1 fails the return route would not auto adjust to Unit 2. Anyone have ideas on a way around this? I sure wish that the 3030's would talk EIGRP to the rest of Cisco's gear.
we have the same situation at a customers site and did a lot of test. Here are some of the results:
to (1) yes, if the Ethernet interface goes down when the catalyst has a problem.
to (2) not at the moment. There shall be a solution within the next version (reverse route injection??) that allows to automatic distribute route information from lan2lan sessions outside the internal interface. a router behind will then be able to use the correct VPN gateway.
Load Sharing only works for clients, not for lan2lan sessions.
You can use Redundancy for full fail over functions, then one VPN gateway will be active the other standby. In this case there is no load sharing possible.
In our situation, we cannot use redundancy because of heavy traffic. We will try a workaround, that redirects the incoming traffic to the VPN gateways (private interface) with static routes which are set either to the 1st or the 2nd VPN via script in case of a problem. We will test this next week.
1. So you are saying that if the internal ethernet is failing the clients WILL be directed to a second concentrator when configured in a Load-Sharing scheme? That is good! Thanks for that information.
2. I am currently Beta Testing the 3.5 Version with reverse route injection, unfortunately we have not had time to actually configure and test load balancing the Lan-Lan Sessions because we would ahve to redistribute the OSPF from the concentrators to our existing EIGRP network. (Not Fun) I hate that Cisco is promoting Route Injection in their new version without supporting EIGRP!
What are you building your LAN-LAN tunnels to? Cisco Routers or another Concentrator?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :