Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
413
Views
5
Helpful
3
Replies

VPN Concentrator load balancing with private networks behind a router

mhermida
Level 1
Level 1

‎02-08-2006 04:30 AM - edited ‎02-21-2020 02:14 PM

Hi all:

I want to configure two VPN Concentrator 3015 with load balancing, but i have not found documentation about how the redundancy works in the private interface.

I have got some doubts about a network schema like this:

Imagine that there is a router conected to the private LAN, and the networks that VPN Client should access are behind that router. The router, of course, will have static routes to get the networks assigned to VPN Clients through the address of the private interface of the Master in the cluster

So, do you see the problem? How does load balancing works in this case?

I mean, when you configure load balancing, you only specify a virtual IP address for the public interface.

When the master redirects a session to the backup in the cluster, the router in the private LAN goes on sending traffic to the private interface of the master.

Does the master send the traffic to the backup private interface?

It could be the only way that this works, but even then,

What happens if the master goes down? The router goes on sending traffic to the IP of the private interface in the master. But i guess load balancing does not work as VRRP does, and the IP of the master in the private interface is not assumed by the backup in the cluster.

Could someone (who has tested the way it works) confirm the way of operation of load balancing?

Labels:
0 Helpful
3 Replies 3

mheusinger
Level 10
Level 10

‎02-08-2006 05:46 AM

Hello,

I once had a similar system (no 3015 though), where remote clients connected to several central devices. The solution we had in this environment was to enable IP routing between the devices and the router and got host routes inserted (called Inverse Route Injection on the 3015). In fact we used RIPv2, but you can use OSPF on the 3015 as well.

The other option we considered was to have different IP address pools on the redundant VPN gateways. As we had the requirement for some fixed IPs for some "special" users fixed address pools per VPN gateway was not feasible. It might help in your case though.

So have a look at "Client Reverse Route Injection" found at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee11d.html#wp1114390

and of course at "Load Balancing Cisco VPN Clients" at

http://www.cisco.com/en/US/products/hw/vpndevc/ps2284/products_configuration_guide_chapter09186a00803ee03b.html

Combining both features will allow you to properly do load balancing.

Hope this helps! Please rate all posts.

Regards, Martin

mhermida
Level 1
Level 1
In response to mheusinger

‎02-08-2006 08:08 AM

Thank you very much Martin.

I had already evaluated that solution, and even the option of doing static load balancing configuring different pools (although this really wouldn't be load balancing).

But I suppossed that this Cisco feature (load balancing) was intelligent and useful.

I mean, are you sure there is not a way to load balancing only with the load balancing feature of VPN Concentrator? The role of the master is only to decide what concentrator ends the tunnel? Is this its only intelligence?

Can't backup VPN Concentrator assume the private IP address of master, when master fails?

If master VPN Concentrator can only decide who ends a session, then it is a poor load balancing :-)

I would thank you very much if you are really sure and you can confirm me that load balancing only has high availability and virtual IP on the public interface.

Thank you very much again

Best Regards,

Marcos

0 Helpful

mheusinger
Level 10
Level 10
In response to mhermida

‎02-08-2006 09:08 AM

Hello Marcos,

please understand the two parts of the load balancing. The first part is the traffic from the internet to the LAN. This can be handled by the VPN concentrator and you understand how this is achieved with Master distributing the tunnels and so on.

The second part of loadsharing/balancing is the traffic from the LAN back to the VPN clients. Here the router has to decide where to send the IP packets. The VPN concentrator can only give the proper information on where it would make sense to send the IP packets (Client Reverse Route Injection). However it is solely the routers decision where to forward the packets.

The other option would be to send every IP packet to the Master VPN concentrator, which in turn would have to redirect the packet to the proper VPN concentrator. But this would be suboptimal from a performance perspective and also the Master would need all the detailed info about every tunnel established. All this is less desireable than the solution, where the router will send the IP packet to the proper VPN concentrator terminating the tunnel right away.

So to summarize my opinion on this: Load Balancing tunnels between different VPN concentrators should be handled by the concentrators, whereas load balancing of LAN traffic towards the clients should be handled by the router. To allow the latter Client Reverse Route Injection presumably is the best option.

Hope this helps! Please rate all posts.

Regards, Martin

0 Helpful
Customers Also Viewed These Support Documents