The only differences I can see in the config now is the IP addressing, hostnames, and master/backup1. However, during a failover test, none of our remote VPN3002 hardware clients will establish connection to the secondardy concentrator when it is active. L2L sessions do come up however. Just the remote sessions from the HW clients fail.
The Backup LAN-to-LAN feature lets you establish redundancy for your LAN-to-LAN connection. Unlike VRRP, which provides a failover for the VPN Concentrator, Backup LAN-to-LAN provides a failover for the connection itself. Although VRRP and Backup LAN-to-LAN are both ways of establishing continuity of service should a VPN Concentrator fail, Backup LAN-to-LAN provides certain advantages that VRRP does not.
You can configure Backup LAN-to-LAN and load balancing on the same device, but you cannot configure VRRP and load balancing on the same VPN Concentrator.
Redundant Backup LAN-to-LAN peers do not have to be located at the same site. VRRP backup peers cannot be geographically dispersed
Thanks for the responce. Though with VRRP, when the concentrator fails, the secondary takes over the VRRP address, which all the HW clients are peered to, thus they should be able to re-establish the VPN. I would imagine this is a reasonably common setup so I'm a little baffled as to why it's not working since the configs are essentially identicle. Perhaps a certificate issue?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...