2 VPN Concentrator and Statetul state.

hperez · ‎11-15-2005

Hi all

I have 2 vpn3030 in VRRP and load balancing.

I stablish the connection to Virtual IP, and I see the connex go throug one of them. If I shutdown the master, all vpns connections go to the other one.

This is a normal behaviour.

BUT, What happens if VPN-A (master) fails when one vpn connection is stablish ? VPN client disconect..... User, manually, has to reconnect again, and the new connections are stablished with VPN-B.

Is there any way to configure this VPN3030 or VPN Client for stateful connection ? I mean, If VPN-A fails, connections are passed to VPN-B and there is no vpn tunnel down ?

Regards.

Roberto

6callert · ‎11-18-2005

First off I didnt think you were able to do VRRP and load balancing at the same time.

Secondly the load balancing is intended to keep the load at equal percentage so lets say your 3030 is configured for 1500 tunnels. The secondary concentrator will accept 15 connections before the primary will take any. If you have a sufficient # of simultaneous users you should be able to observe the connections progress in this fashion

15 - 0

15 - 15

30 - 15

30 - 30

you get the idea

Unfortunaltely there is no session state information shared between 3000 series concentrators in a cluster. If you suffer a hardware failure users on that concentrator will have thier connections drop and would then have to re-connect to the active node.

'Maybe' VPN's through a PIX or ASA where state information is shared may offer the seamless failover you are looking for