1. With 2 units of Concentrator 3080, which method should I implement, VRRP or Load Balance to achieve robustness and service availablity. What are the things need to be justified for both, VRRP and Load Balance?
2. How to properly documented the VPN configuration rather than doing the screenshots of HTML pages, eg XML?
3. When I login to concentrator manager using TACACS+, this session seems to use up simulatenous login allowed. But again, there're some inconsistencies too with regards to which authentication done first - see below. Please explain. Note that for this experiment,
there's no limitation on # of logins on both our CSACS and Novell LDAP server. And of course, I use the same id for all these experiments:
1. Depends on what you really want. With both types, VPN clients connections are going to drop out if one concentrator fails. If you're using VRRP, all the client connections will drop out, but they'll be able to reconnect back in. With load balancing, only half the connections will drop out and they'll be able to reconnect back in. Personally I prefer load balancing.
2. There's really no good way to document the config changes. The config is written as a plain text file and sort of looks like an old win.ini file, so it's not overly intuitive to look at. Really putting in screen shots is the best way (you'll see these in all the sample configs on www.cisco.com).
3. Hmmmm, this is a strange one. Looks like it's hitting sdome limit either in the 3000 group or on the ACS server. The TACACS admin login shouldn't be using up a login for the group, so it may be a bug, or it may be hitting a limit on the ACS server. The log error certainly seems to indicate it's hitting the 3000 concentrator limit, cause if it was on the ACS server you wouldn't see that kind of log message. Maybe open a TAC case and see if they can recreate it for you.
2. How to properly documented the VPN configuration rather
than doing the screenshots of HTML pages, eg XML?
I have been able to FTP the config file to another system (IBM/MVS) that I use that data as input on, and I create a listing of the 'groupnames'. It would really be nice to have a way to create reports like 'Show me all ids that can access 184.108.40.206
If anyone has come up with any solutions, I would really appreciate an email to firstname.lastname@example.org so I can quit banging my head on my desk.....
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...