Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
455
Views
5
Helpful
2
Replies

VPN Concentrator in High Availabilty

rsoave
Level 1
Level 1

‎12-18-2004 05:46 AM - edited ‎02-21-2020 01:30 PM

Hi everyone.

I need some help about a design in a High Availability with VPN Concentrator.

First of all, I will explain how I think about this solution.

May I have a topology, where I have in the Main Site with 02 Vpn Concentrators, installed each one in different ISP's, and both connected in the same internal network, by the inside interfaces, and when the ISP_A, (The default peer from a given connection) goes down, the other VPN Conc. will know that the VPN Conc 01, has not anymore connection to the internet, and get started to forward packets.

Assume that the remote peer has configured 02 peers to try to connect, and when the first peers is anavailable, the other peers is preferred.

In my inside network, should be transparent the gateway to connect and reach the remotes sites.

How I can to accomplish this??

Anybody have or had some experience like that? This is possible or not?

I am send the drawing of my proposal solution.

Thanks for help.

Labels:
Preview file
42 KB
0 Helpful
2 Replies 2

travis-dennis_2
Level 7
Level 7

‎12-18-2004 01:10 PM

This is actually pretty easy. Most, if not all, of Cisco's VPN capable devices allow you to configure a backup head-end. All you have to do is configure you clients, hard ware and software can do this, to connect to Concentrator A. There is an option to configure Concentrator B as a backup server if A cannot be reached.

Here is the link for Configuring this in IOS

http://www.cisco.com/en/US/products/sw/iosswrel/ps5207/products_feature_guide09186a00801541d5.html

The software client has this option whenever you create or modify a VPN connection entry. The Backup Servers tab is readily visible..

The 3002 hardware clients can be configured for backup head-end devices as well. T they ca be configured on the GUI management under Configuration | System | Tunneling Protocols | IPSec

By doing it this way both Concentrators are active and the end users/devices do not have to be re-configured. It is not exactly failover but it is HA and transparent.

This is how I always set it up

If you just have to have "failover" then here is a good link on VRRP to get you started.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_tech_note09186a0080094490.shtml

BGP also comes to mind if you want an actual failover scenario but will require alot more work to setup

http://www.cisco.com/en/US/tech/tk365/technologies_configuration_example09186a008009456d.shtml

Hope this helps.

Please rememer to rate all replies

rsoave
Level 1
Level 1
In response to travis-dennis_2

‎12-19-2004 05:35 AM

Ok Dennis, your reply was fantastic.

But I still in doubt with one thing.

I will use VRRP in my VPN Concentrator environment, that are behind the routers connected to the ISP's.

If my remote site try to connect to ISP A, but the link is down, he will try connected to ISP B, and successfull, the packet back by the VPN Concentrator connected by this ISP B (VPN Conc B), or the VRRP is not capable to identify that one link is down, ahead the router, and the Active VPN Conc will try, and try send the packet, and the packet never arrives in your destination?

The routers connected to the ISP's are not mine, they are from ISP's, and I can't to change any configuration.

Basicly, my question is, in this topology, VRRP will works or not? If not, which recommended solution I need to make?

I don't know if I make me clear, but I think this is a basic doubt, when we concern with this kind of topology.

Best Regards.

0 Helpful
Customers Also Viewed These Support Documents