Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

VPN Concentrator - VCA In & Out

Got 2 VPN 3080 Concentrator (V3.5.3), and configured to run load-balance (LB).

When configuring these boxes, it's common to add VCA In&VCA Out rules, both for Private and Public interfaces.

However, for Private interface, the rules are automatically replaced/overwritten by another set of rules, as follow :

New rules automatically added to the 1st Concentrator's Private Filter

* (ip - X.X.X.X) :

VCAL2L: Y.Y.Y.Y In (apply IPSec on inbound from Y.Y.Y.Y to X.X.X.X)

VCAL2L: Y.Y.Y.Y Out (apply IPSec on inbound from X.X.X.X to Y.Y.Y.Y)

New rules automatically added to the 2nd Concentrator's Private Filter

(ip - Y.Y.Y.Y) :

VCAL2L: X.X.X.X In (apply IPSec on inbound from X.X.X.X to Y.Y.Y.Y)

VCAL2L: X.X.X.X Out (apply IPSec on inbound from Y.Y.Y.Y to X.X.X.X)

Has anyone configured LB before, and experienced similar changes? Need to know why the VPN Concentrators automatically replaced my previous Private Filter rules, and what happened to the previous VCA In&Out rules?

Since these rules are based on IP Address, can I generalize them like VCA In & VCA Out, and will never be overwritten by the Concentrator again?

Thank you in advance.

Cisco Employee

Re: VPN Concentrator - VCA In & Out

Got these answers from the Product Manager for the CVPN3000 Concentrators:

Ques. What do this rules for? LBSSF? Or, others?

Ans. For sharing load information for LBSSF.

Ques. I have set private filters on each concentrator to include VCA In & VCA

Out rules before setting LBSSF, but they are overwritten by these new rules.

Why? What is happening behind the scene?

Ans. VCA is a "PING" type message. This filter is for sharing the actual

load information including logged in users.

Ques. Why can't they use existing VCA In & VCA Out rules (which come with

factory default)?

Ans. See answer to b). B is a filter, this is to allow an IPsec

communication between the boxes.

Ques. Since these rules are IP Address specific, can I generalize these rules

like VCA In & VCA Out? - with confidence that these rules will not be

overwritten again by concentrators themselves?

Ans. Nope. These are for Ipsec sessions and must be specific.

Hope these answers help, if you have any additional comments/clarifications on these, feel free to ask


Aamir Waheed,

Cisco Systems, Inc.



Re: VPN Concentrator - VCA In & Out

Hi Aamir,

Thank you for the info.

I wonder where can I find details for the above answer (url, etc), or any file that you could share with?