cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
389
Views
0
Helpful
3
Replies

Feedback for VRRP failover wanted.

cairnsm
Level 1
Level 1

Getting ready to install a second 3030 concentrator for redundancy. Has anyone noted any issues with recovering lan-to-lan tunnels during failover? Any particulars that need to be checked such as ipsec lifetime for the SA? Do remote endpoints even see the failure / force to renogotiate, or does the secondary concentrator simply assume the connection. Any details of the process beyond the shared IP/MAC are appreciated as I can't take my primary out of production for more complete testing.

Thanks,

Mark

3 Replies 3

engel
Level 2
Level 2

Hi,

We have completed two installations with VPN3000`s VRRP. The following are issues with VPN3000`s VRRP design:

1. The failover is NOT transparent from the VPN Client. If the Master is down, the client has to disconnect and reconnect again. It means that the user has to click the disconnect button and click the connect button.

2. The CONFIG file has to be manually synchronized between the Master and the Standby device. There is no automate update of the CONFIG if you changes some parameters at the Master.

The above two issues are my main concern. Hopefully Cisco would address these issues. If anyone has other issues, kindly share here.

Regards,

Engel

How about the LAN-to-LAN... any thing special there? According to the latest manual, it takes about 3 to 10 seconds to automatically switch over. However, I wonder if this is a statefull failover, keeping the TCP sessions alive while it switches?

--Chuck

Chuck, the failover of these units worked very well in our situation. Keep in mind that they are not keeping a stateful layer 4 table like a PIX, only providing the end point for your tunnel. The need to establish new TCP sessions will depend on the hosts at each end and specific application resiliance to timing issues.

RFC 2338 explains the timing for VRRP failover.

Mark