I'm planning on migrating my VPN users off the VPN 3000 concentrator. There are many users logged on throughout the day. I would like to make this a graceful migration. I would like to know if there's an option to set the VPN concentrator to no longer accept incoming VPN connections. Thus forcing new users to connect to my backup device. This way current users on the concentrator can continue to work until they are done. I'll just wait until there are 0 active connections before powering off the device.
I appreciate any suggestions. Thanks.
I do not believe there is a feature in vpn3k to force VPN client connections to another VPN gateway.
But what you could do is simply notify those new connections to not use any longer that gateway. Use The banner configuration to ask those connections to disconnect and inform them of the new VPN gateway they need to use. This is the way I got all my VPN users off the VPN concentrator when we decomissioned one 3k at one of our sites.
pick the tunnel group name you use for your VPN clients - Modify Group, then in Client Config TAB scroll down where it Saids Banner under Common Client Parameters.
In that banner you can simply text a message to new connections, ask them to disconnect and used new VPN gateway. Provide them with new gateway information.
another method for future reference if using cisco VPN client would be to pre-configure create .pcf profile files that would have new VPN tunnel gateway information and push those .pcf file to the users to install in their machines.
Thanks for the suggestions. I believe the banner will work well. I'll plan on setting up a banner text about 1 week before the actual decommission.
Is there a way to create a banner for all tunnel groups? I actually have a little over 10 tunnel groups.
You will have to create banner for each tunnel group.. little over 10 tunnel groups is not that bad, simply create a template banner and apply it to each group.
With all due respect to Jorge I interpret your question a bit differently and I believe that there is a way to achieve what your original post asks about.
I assume from your post that you have configured a concentrator to act as the primary and another concentrator to act as the backup. And I assume from the post that the clients have the primary and the backup in their client setup. And if they do not already have that set up in the client there is an option on the concentrator (under group configuration, on the client config tab) to push a backup concentrator to the client when it login to the primary concentrator.
If the clients do have the backup concentrator in their setup then you want to go to the Administration section, to the System Reboot section, and on that page click the Action option to Shutdown without automatic reboot and click the When to Reboot option to Wait for Session to Terminate.
I have done this several times and it lets all existing users continue their sessions until they terminate normally. But the primary will not access any new connections and the clients will simply go to the backup concentrator.
When all user sessions are terminated the concentrator will just wait. And you can monitor this and can power down when you choose to do so.
I have looked for this option i haven`t find. could you pls let me know what is option exactly under clinet tab.
In the concentrator, under configuration, choose the User Management tab, and then choose the Groups option. This should open a page which displays the groups that are configured. Choose the group that you want to configure and click on modify. This should open the configuration of the group. Click the Client Config tab which should bring up options about the client. One of these options is IPSec Backup Servers. In that option there is a pull down menu and you would select the option for Use List Below and input the address of the concentrator which will be the backup.
At that point the concentrator should begin to push to the clients the configured backup server. After you make the change remember to save the config.
I have some queries:
1) After configureing the same in concentrator, Do i need to configure in VPN clinet also?(like file-modify-backpservers) or only concentrator will take care of that also.
2) if my primary concentrator internet is down.how clinet will know that it should go to secondary?
1) After you configure this on the concentrator you do not need to configure anything on the client. When this is configured the concentrator will begin to push this backup concentrator to the client.
2) If you primary concentrator is down then the client will attempt to initiate the ISAKMP negotiation. There will be no response from the primary cocentrator (because it is down) and the client will then attempt to connect to the backup concentrator.
If you have already tested the backup device to work, then it should be pretty straight-forward, provided you use DNS for your outside IP.
You can simply change the DNS A record to point to the backup device's IP address, and when DNS propagates through, and users re-connect, they'll go to the new device. An e-mail in advance to the users would be a good idea, of what you are about to do, and in case they have issues, they should haev instructions on how to get to the original concentrator, by using maybe a different hostname / IP.