Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

Failover with VPN Concentrator

Hello All,

We have Single VPN concentrator which is single point of failure, hence need your help to mitigate the same

Topology diagram is attached

Site A & Site B.

Site B has internet Gateways where we have existing VPN box.

Planning to introduce VPN gateway at site A & place VPN concentrator there as well

Our design is as under

Connectivity between both locations & other office is managed by BGP.

Default route is pointed toward Internet Gateway.

Internet Segment Info.

·         We have SP Independent IP range

·         Failover between 2 SP at site  B is achieved using iBGP & eBGP

Challenge: VPN concentrator single Point of Failure (Cisco VPN Concentrator 3000)

Following are design goals

·         Introduce internet gateways at Site- A which will have Site gateway level redundancy

·         Place on VPN concentrator which will act as a failover between site

o   If site B vpn concentrator is down site A VPN box should take over all the traffic.

o   Replica of Site B active VPN concentrator

Is it possible to achieve above design goals.

Please help regarding VPN concentrator...How i can place VPN concentrator in failover mode ...Just like we do firewalls?

Please help

3 ACCEPTED SOLUTIONS

Accepted Solutions
Cisco Employee

Re: Failover with VPN Concentrator

Hi Yogesh,

VPN Concentrator supports failover via VRRP. Please find the following document for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094490.shtml

In regards to adding failover for VPN Concentrator, do you happen to have a spare VPN Concentrator to run VRRP?

Not sure if you know, however, VPN Concentrator is now end of life, and the last ship date was November 2007, hence you will not be able to purchase VPN Concentrator anymore.

Here is the EOL notificatin for your reference:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

Cisco Employee

Re: Failover with VPN Concentrator

Hey Yogesh,

The ASA has replaced the concentrator as a VPN headend. You will find more information regarding product migration here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html#wp9000247

Regards,

Atri.

Cisco Employee

Re: Failover with VPN Concentrator

Hey Yogesh,

For ASA's you have to configure failover not VRRP. And yes you can use lan bases failover. You will find more information regarding this at the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#lanbas

The distance shouldn't be a problem.

Also you should be able to rate the message if you are signed in.If you are signed in and still not able to rate a message then drop a not to the forum moderator.

Regards,

Atri

5 REPLIES
Cisco Employee

Re: Failover with VPN Concentrator

Hi Yogesh,

VPN Concentrator supports failover via VRRP. Please find the following document for your reference:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094490.shtml

In regards to adding failover for VPN Concentrator, do you happen to have a spare VPN Concentrator to run VRRP?

Not sure if you know, however, VPN Concentrator is now end of life, and the last ship date was November 2007, hence you will not be able to purchase VPN Concentrator anymore.

Here is the EOL notificatin for your reference:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html

Community Member

Re: Failover with VPN Concentrator

This is very useful information...

But I am unlucky here.....we don’t have another vpn concentrator? But Yes....VRRP can be used in my other office where we have another concentrator...which is they are using a cold standby...

As it EOS...which device has replaced concentrators with similar features...

Note : I am not able to rate the post using star buttons : how do i rate it..

Regards

Yogesh

Cisco Employee

Re: Failover with VPN Concentrator

Hey Yogesh,

The ASA has replaced the concentrator as a VPN headend. You will find more information regarding product migration here:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5743/ps5749/ps2284/prod_end-of-life_notice0900aecd805cd5a0.html#wp9000247

Regards,

Atri.

Community Member

Re: Failover with VPN Concentrator

Hi,

Thanks for advising device.

I have sites which have distance of mainly between 35-40 km connectivity via Metro Ethernet links...

Is it possible to run two ASA parallel between such distance likewise it is with VPN concentrator (using VRRP  or other technology)?

If yes how failover would work...Is it like normal firewall / asa we keen in same rack?

Regards

Yogesh

Cisco Employee

Re: Failover with VPN Concentrator

Hey Yogesh,

For ASA's you have to configure failover not VRRP. And yes you can use lan bases failover. You will find more information regarding this at the following link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#lanbas

The distance shouldn't be a problem.

Also you should be able to rate the message if you are signed in.If you are signed in and still not able to rate a message then drop a not to the forum moderator.

Regards,

Atri

883
Views
0
Helpful
5
Replies
CreatePlease to create content