Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

VPN3020 failover


I've recently "syncronised" the configuration of our 2 3020 boxes using

The only differences I can see in the config now is the IP addressing, hostnames, and master/backup1. However, during a failover test, none of our remote VPN3002 hardware clients will establish connection to the secondardy concentrator when it is active. L2L sessions do come up however. Just the remote sessions from the HW clients fail.

Any help would be great.



New Member

Re: VPN3020 failover

The Backup LAN-to-LAN feature lets you establish redundancy for your LAN-to-LAN connection. Unlike VRRP, which provides a failover for the VPN Concentrator, Backup LAN-to-LAN provides a failover for the connection itself. Although VRRP and Backup LAN-to-LAN are both ways of establishing continuity of service should a VPN Concentrator fail, Backup LAN-to-LAN provides certain advantages that VRRP does not.

You can configure Backup LAN-to-LAN and load balancing on the same device, but you cannot configure VRRP and load balancing on the same VPN Concentrator.

Redundant Backup LAN-to-LAN peers do not have to be located at the same site. VRRP backup peers cannot be geographically dispersed

New Member

Re: VPN3020 failover

Thanks for the responce. Though with VRRP, when the concentrator fails, the secondary takes over the VRRP address, which all the HW clients are peered to, thus they should be able to re-establish the VPN. I would imagine this is a reasonably common setup so I'm a little baffled as to why it's not working since the configs are essentially identicle. Perhaps a certificate issue?