Syncing configs on VPN 3000 VRRP master/backup

jwmiller · ‎07-29-2005

We have been looking for a way to avoid having to manually make changes to both of our VPN 3000's (one in Master role and the other in Backup1). Using this process: 1) take a copy of the CONFIG (text-based) file from the Master (using an name other than CONFIG); 2) copy Master's CONFIG to Backup1; 3) isolate Backup1 by downing the interfaces on the public and private switch ports; 4) use the CLI and console port of Backup1 to delete its CONFIG file; 5) copy the Master CONFIG to CONFIG on Backup1; 6) use the CLI to modify identity, VRRP role, and interfaces addresses; 7) reboot Backup1; and 8) re-enable Backup1's switch ports -- I found that I can sync the two servers. Is there any reason why I can't manually edit Master's CONFIG file (for identity, etc.) before copying it to Backup1? This would allow a sync without having to use the CLI and without having to isolate Backup1.

pkapoor · ‎08-02-2005

There is no reason why you cannot do that. As long as your definition of "identity" includes the interface IP addresses as well.

However, I think the more efficient way to do this has been documented at CCO:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094490.shtml#synch

Here you do not have to use the CLI nor do you have to isolate the Backup. You just have to make sure that you disable VRRP before writing the configuration onto the Backup device. Alternatively, you will not even have to disable the VRRP if you can determine the parameters which you have to change in order to reflect the device as a Backup, in the CONFIG file from the Master.