Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
833
Views
5
Helpful
10
Replies

VPN Load-Balancing

Go to solution
a.hajhamad
Level 4
Level 4

‎05-17-2006 06:31 AM

Hi,

for VPN Concentrators load-balancing, identical configurations must be at the two devices. Does the Master cluster VPN concentrator push its config. to the other members of the clusters, or we need to it manually?

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
a.kiprawih
Level 7
Level 7

‎05-17-2006 06:54 PM

Hi Abd Alqader,

The decision whether to use load-balance or VRRP is very much depend on your VPN environment.

Personally, I think the load-balance is good/ideal if you have lots of VPN clients, e.g > 500 users. With 2 load-balanced VPN3K, you can share VPN connectivity equally between the boxes, and will not burden 1 VPN unit at any time. Also, if one of these box is down, the affected vpn clients can still connect to the other unit. But you need to configure backup VPN Server in all VPN Client software configuration to achieve this.

VRRP, on the other hand, has its own advantages. In case of faulty primary VPN unit, all VPN Clients can still connect to one (1) VPN Gateway, as VRRP will virtually allow the backup unit to inherit/use Primary/Active VPN public IP (as gateway). In terms of max no of users, VRRP probably suitable for lower-end model like 3005 (200 IPsec/50 clientless) & 3015 (100 IPSec/75 clientless).

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_data_sheet09186a00801d3b56.html

However, final decision depends on which option you feel can best suite your environment. There is no right or wrong.

Pls rate if you find this post helps you.

Rgds,

AK

View solution in original post

0 Helpful
10 Replies 10

Go to solution
a.kiprawih
Level 7
Level 7

‎05-17-2006 12:15 PM

Hi,

We need to do it manually for each VPN device. All these devices will be tied together by configuring the Cluster & Device Configuration.

Ref:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00801f1d82.html

Rgds,

AK

0 Helpful

Go to solution
a.kiprawih
Level 7
Level 7

‎05-17-2006 12:30 PM

To easily configure your second VPN 3000, follow the configuration example on how to replication/synchronize VPN3K configuration - look under "Synchronize the Configurations" (Follow Step 1 to Step 8).

Others are not relevant as it was for the VRRP setup guide.

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_tech_note09186a0080094490.shtml#synch

It tells you how to replicate configuration from one VPN unit to another in a faster way.

Make sure to configure the Load balance & Cluster portion in your primary unit before doing the replication.

Once this is done, make sure your IP Addresses for the 2nd VPN unit's Private & Public interfaces are configured accordingly.

Rgds,

AK

0 Helpful

Go to solution
a.hajhamad
Level 4
Level 4
In response to a.kiprawih

‎05-17-2006 12:57 PM

Thank you.

I think manual configuration is somewho bad design due to human error. Anyway, I need to configure my private and public IP addresses at the TXT file before uploaded to the non-master cluster devices but what about the cluster config. it will be the same for both master and non-master devices?!

If you please, i need your recommendation, i have two VPN Concentrator 3015 and 3020, which design is best load balancing (two active) or VRRP (one active and the other is idle)?

Thanks in advance

Abd Alqader

0 Helpful

Go to solution
a.kiprawih
Level 7
Level 7

‎05-17-2006 06:54 PM

Hi Abd Alqader,

The decision whether to use load-balance or VRRP is very much depend on your VPN environment.

Personally, I think the load-balance is good/ideal if you have lots of VPN clients, e.g > 500 users. With 2 load-balanced VPN3K, you can share VPN connectivity equally between the boxes, and will not burden 1 VPN unit at any time. Also, if one of these box is down, the affected vpn clients can still connect to the other unit. But you need to configure backup VPN Server in all VPN Client software configuration to achieve this.

VRRP, on the other hand, has its own advantages. In case of faulty primary VPN unit, all VPN Clients can still connect to one (1) VPN Gateway, as VRRP will virtually allow the backup unit to inherit/use Primary/Active VPN public IP (as gateway). In terms of max no of users, VRRP probably suitable for lower-end model like 3005 (200 IPsec/50 clientless) & 3015 (100 IPSec/75 clientless).

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_data_sheet09186a00801d3b56.html

However, final decision depends on which option you feel can best suite your environment. There is no right or wrong.

Pls rate if you find this post helps you.

Rgds,

AK

0 Helpful

Go to solution
a.kiprawih
Level 7
Level 7

‎05-17-2006 07:28 PM

And in case you decided to use Load Balance, assign priority to both of your 3015 & 3020 as per Cisco recommendation below:

" If your virtual cluster includes different models of VPN Concentrators, we recommend that you choose the device with the greatest load capacity to be the virtual cluster master. For this reason, priority defaults are hardware dependent."

Model ------- Priority

3015 --------> 3

3020 --------> 4

http://www.cisco.com/en/US/partner/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00801f1d82.html#1072458

Rgds,

AK

Go to solution
a.hajhamad
Level 4
Level 4
In response to a.kiprawih

‎05-18-2006 01:24 AM

Hi,

If the two VPN boxes configured for load balancing, And we need to configure 3020 (priority 9) as a master and the 3015 (Priority 5) as a backup, and as i understood we need to take the configuration file from the 3020 after any changes (daily config :() and put it at 3015, what about the Priority parameters it will be replicated to the secondary 3015, i.e: both boxes will have the same Priority. or we need to change the config file for interfaces IPs and the priority, what about the configured address pools?

Thanks in advance

Abd Alqader

0 Helpful

Go to solution
a.kiprawih
Level 7
Level 7

‎05-18-2006 08:56 AM

HI Abd Alqader,

You're right! You need to change the address pool and priority for the second VPN unit after you replicate the configuration, OR, before your load the config, you can actually edit the config, and look for the pool range and priority no.

Look for '[ipaddrpool 1]' to locate the address pool, and '[lbssf]' for priority.

However, before you replicate Master configuration to the second box, pls make sure that both boxes are loaded with same version.

Rgds,

AK

0 Helpful

Go to solution
a.hajhamad
Level 4
Level 4
In response to a.kiprawih

‎05-18-2006 01:46 PM

Hi AK,

Yes they are the same software version, and i edit the config file before replicate it to the backup box. but you know, this is the first time, Cisco has a bad load balance case.

Does VRRP has a load balance feature or not?

Anyway, thanks alot,,,

and sorry for any interrupting may occur!

Abd Alqader

0 Helpful

Go to solution
a.kiprawih
Level 7
Level 7

‎05-18-2006 06:16 PM

Hi Abd Alqader,

Not a problem, as this forum is meant as a medium to share knowledge/experiences/problems.

VPN 3000 Concentrator can only use either load-balance or VRRP as redundancy/backup mechanism. In VRRP, when active box down, client can re-connect back to the same IP.

Rgds,

AK

0 Helpful

Go to solution
a.hajhamad
Level 4
Level 4
In response to a.kiprawih

‎05-18-2006 10:43 PM

Thank you,

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents