Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

VPN Clustering Issue

Aloha:

We have a VPN cluster with two 3030 Concentrators. When you connect to the virtual address, you are pushed to one address, but when it is "negotiating security policies" the connection drops, but then when you click "Connect" again, it works! This happens for users regardless of location. Any ideas? Clustering appears to be working okay.

Also, in the documentation it says the virtual address should not be pingable, but we can in our scenario we can.

Mahalo in advance.

7 REPLIES
Bronze

Re: VPN Clustering Issue

When you connect the AP to the wired LAN, the AP links to the network using a Bridge Virtual Interface (BVI) that it creates automatically. Instead of tracking separate IP addresses for the AP''s Ethernet and radio ports, the network uses the BVI. When you assign an IP address to the AP using the CLI, you must assign the address to the BVI.

Gold

Re: VPN Clustering Issue

are these concentrators located behind a pix? if so, you need to disable arp cache.

from memory, the command is "sysopt noproxyarp" on pix.

New Member

Re: VPN Clustering Issue

Much mahalo for the reply. It appears to have worked for some, but I am still having issues. Same problem as before. Any ideas?

Gold

Re: VPN Clustering Issue

you mentioned if you try another time, it will then connect. just wondering if one of the concentrators has an issue, so that remote vpn access can only be established to one of the concentrators.

further, do "sh arp" on the pix to verify whether the arp table keeps updating for the cluster ip.

New Member

Re: VPN Clustering Issue

Aloha:

Yes, one of the Concentrator's is okay if you just set your client to connect to that one. Strange since the configuration was pretty much a copy and paste from the other. The "existing" Concentrator is the one that is working properly.

Yes, the ARP table always has the MAC address of the cluster master for the cluster IP address. Thanks for the help.

Ben

Gold

Re: VPN Clustering Issue

you mentioned "Yes, the ARP table always has the MAC address of the cluster master for the cluster IP address".

when i was testing a web server cluster, the arp kept updating as the request was sending to first, then second, then third. anyhow, it may be differnet to concentrator cluster.

New Member

Re: VPN Clustering Issue

Aloha:

After working with TAC, what the issue was one of the concentrator's address pool started on the network number, not a usable host, that was the reason for the disconnect. It was sporadic because the first time you would get the wrong address, then the second time you would get a usable host address. :-)

Aloha Friday,

Ben

122
Views
0
Helpful
7
Replies
CreatePlease to create content