cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1086
Views
0
Helpful
8
Replies

config synchronization in a vpn cluster

Thomas Brunsfeld
Cisco Employee
Cisco Employee

hi folks,

does somebody know how two vpn concentrators 3030 with VRRP enabled synchronize their configuration? I haven't found any docu yet. I assume that it works over VRRP advertisments. I do not believe that, if you configuring a new secure connection, you have to do the synchronisation on the Backup by hand. It must go automatic.

tks in advance

thomas

2 Accepted Solutions

Accepted Solutions

Yes, you have to configure both systems manually. We all feel your pain. In fact someone asked for the exact feature request you are looking for, shown in bug CSCdv88787. It was put in a looooong time ago and (obviously) still isn't implemented. So don't hold your breath.

HTH,

Mike

View solution in original post

That is correct .. Synchronization does not happen over VRRP - you would have to configure the users on both concentrators or have central user authentication server(s) like ACS to authenticate to and then you would not have a problem.

You have to think of VRRP like HSRP .. you dont sync 2 router configs over HRSP... They are configured as back up devices.

View solution in original post

8 Replies 8

jasobrown
Level 1
Level 1

Unless it has changed recently ...

The 3000's are configured manually tested that they can terminate the VPN connections and then VRRP added.

so if you configure a new user on the Master system you have to do it on the BU as well? That's what I am thinking about, thus it is not a satisfied solution.

Yes, you have to configure both systems manually. We all feel your pain. In fact someone asked for the exact feature request you are looking for, shown in bug CSCdv88787. It was put in a looooong time ago and (obviously) still isn't implemented. So don't hold your breath.

HTH,

Mike

CSCdv88787 states "Rather than

have to manually pull the config and drop it into the VRRP peer's box." This suggests that there is a way to take the config from one VPN 3000 and drop it onto another without having to manually update each box in a VRRP cluster. Perhaps CSCdv88787 solves a different problem and it IS possible to use a file to synchronize a pair of VRRP'd 3000's? Can you clarify?

That is correct .. Synchronization does not happen over VRRP - you would have to configure the users on both concentrators or have central user authentication server(s) like ACS to authenticate to and then you would not have a problem.

You have to think of VRRP like HSRP .. you dont sync 2 router configs over HRSP... They are configured as back up devices.

Tks guys, your statements are indeed helpfull and I am going to set the bug watcher on this mentioned bug, in hope that Cisco will implement this feature soon.

have a nice day

thomas

shannong
Level 4
Level 4

While you can't sync configs, you can alleviate the need to do so. Once the cluster is up and running, use external authentication using ACS.

Based on the group the user exists in ACS, ACS can tell the concentrator everything else about the user's session. Therefore, you only need to maintain one or two basic groups on the concentrators. This alleviates the concern about making changes to multiple concentrators for user groups. ACS supports clustered installs for itself and it will replicate its users and configurations to other ACS servers to provide load sharing and redundancy.

Besides having its own local groups, ACS can authenticate via LDAP or NT and check for that users membership in a group. Based on this, you can tell the concentrator what group they should belong to, what their filter/ACL is, encryption types allowed, timeouts, firewall rules, protocols allowed, etc. You can pass pretty much everything that can be configured in a concentrator group.

This should provide HA while also increasing user control and concerns about configuration management.

Yeah, but that doesn't help with L2L tunnels. You're typically in a set-it-and-forget-it situation with RA tunnels anyway.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: