Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Cisco Employee

config synchronization in a vpn cluster

hi folks,

does somebody know how two vpn concentrators 3030 with VRRP enabled synchronize their configuration? I haven't found any docu yet. I assume that it works over VRRP advertisments. I do not believe that, if you configuring a new secure connection, you have to do the synchronisation on the Backup by hand. It must go automatic.

tks in advance

thomas

2 ACCEPTED SOLUTIONS

Accepted Solutions
New Member

Re: config synchronization in a vpn cluster

Yes, you have to configure both systems manually. We all feel your pain. In fact someone asked for the exact feature request you are looking for, shown in bug CSCdv88787. It was put in a looooong time ago and (obviously) still isn't implemented. So don't hold your breath.

HTH,

Mike

New Member

Re: config synchronization in a vpn cluster

That is correct .. Synchronization does not happen over VRRP - you would have to configure the users on both concentrators or have central user authentication server(s) like ACS to authenticate to and then you would not have a problem.

You have to think of VRRP like HSRP .. you dont sync 2 router configs over HRSP... They are configured as back up devices.

8 REPLIES
New Member

Re: config synchronization in a vpn cluster

Unless it has changed recently ...

The 3000's are configured manually tested that they can terminate the VPN connections and then VRRP added.

Cisco Employee

Re: config synchronization in a vpn cluster

so if you configure a new user on the Master system you have to do it on the BU as well? That's what I am thinking about, thus it is not a satisfied solution.

New Member

Re: config synchronization in a vpn cluster

Yes, you have to configure both systems manually. We all feel your pain. In fact someone asked for the exact feature request you are looking for, shown in bug CSCdv88787. It was put in a looooong time ago and (obviously) still isn't implemented. So don't hold your breath.

HTH,

Mike

New Member

Re: config synchronization in a vpn cluster

CSCdv88787 states "Rather than

have to manually pull the config and drop it into the VRRP peer's box." This suggests that there is a way to take the config from one VPN 3000 and drop it onto another without having to manually update each box in a VRRP cluster. Perhaps CSCdv88787 solves a different problem and it IS possible to use a file to synchronize a pair of VRRP'd 3000's? Can you clarify?

New Member

Re: config synchronization in a vpn cluster

That is correct .. Synchronization does not happen over VRRP - you would have to configure the users on both concentrators or have central user authentication server(s) like ACS to authenticate to and then you would not have a problem.

You have to think of VRRP like HSRP .. you dont sync 2 router configs over HRSP... They are configured as back up devices.

Cisco Employee

Re: config synchronization in a vpn cluster

Tks guys, your statements are indeed helpfull and I am going to set the bug watcher on this mentioned bug, in hope that Cisco will implement this feature soon.

have a nice day

thomas

Silver

Re: config synchronization in a vpn cluster

While you can't sync configs, you can alleviate the need to do so. Once the cluster is up and running, use external authentication using ACS.

Based on the group the user exists in ACS, ACS can tell the concentrator everything else about the user's session. Therefore, you only need to maintain one or two basic groups on the concentrators. This alleviates the concern about making changes to multiple concentrators for user groups. ACS supports clustered installs for itself and it will replicate its users and configurations to other ACS servers to provide load sharing and redundancy.

Besides having its own local groups, ACS can authenticate via LDAP or NT and check for that users membership in a group. Based on this, you can tell the concentrator what group they should belong to, what their filter/ACL is, encryption types allowed, timeouts, firewall rules, protocols allowed, etc. You can pass pretty much everything that can be configured in a concentrator group.

This should provide HA while also increasing user control and concerns about configuration management.

New Member

Re: config synchronization in a vpn cluster

Yeah, but that doesn't help with L2L tunnels. You're typically in a set-it-and-forget-it situation with RA tunnels anyway.

178
Views
0
Helpful
8
Replies
CreatePlease to create content