Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
822
Views
0
Helpful
2
Replies

VPN Concentrator - VCA In & Out

a.kiprawih
Level 7
Level 7

‎07-29-2002 04:39 AM - edited ‎02-21-2020 11:57 AM

Got 2 VPN 3080 Concentrator (V3.5.3), and configured to run load-balance (LB).

When configuring these boxes, it's common to add VCA In&VCA Out rules, both for Private and Public interfaces.

However, for Private interface, the rules are automatically replaced/overwritten by another set of rules, as follow :

New rules automatically added to the 1st Concentrator's Private Filter

* (ip - X.X.X.X) :

VCAL2L: Y.Y.Y.Y In (apply IPSec on inbound from Y.Y.Y.Y to X.X.X.X)

VCAL2L: Y.Y.Y.Y Out (apply IPSec on inbound from X.X.X.X to Y.Y.Y.Y)

New rules automatically added to the 2nd Concentrator's Private Filter

(ip - Y.Y.Y.Y) :

VCAL2L: X.X.X.X In (apply IPSec on inbound from X.X.X.X to Y.Y.Y.Y)

VCAL2L: X.X.X.X Out (apply IPSec on inbound from Y.Y.Y.Y to X.X.X.X)

Has anyone configured LB before, and experienced similar changes? Need to know why the VPN Concentrators automatically replaced my previous Private Filter rules, and what happened to the previous VCA In&Out rules?

Since these rules are based on IP Address, can I generalize them like VCA In & VCA Out, and will never be overwritten by the Concentrator again?

Thank you in advance.

Labels:
0 Helpful
2 Replies 2

awaheed
Cisco Employee
Cisco Employee

‎07-29-2002 11:51 AM

Got these answers from the Product Manager for the CVPN3000 Concentrators:

Ques. What do this rules for? LBSSF? Or, others?

Ans. For sharing load information for LBSSF.

Ques. I have set private filters on each concentrator to include VCA In & VCA

Out rules before setting LBSSF, but they are overwritten by these new rules.

Why? What is happening behind the scene?

Ans. VCA is a "PING" type message. This filter is for sharing the actual

load information including logged in users.

Ques. Why can't they use existing VCA In & VCA Out rules (which come with

factory default)?

Ans. See answer to b). B is a filter, this is to allow an IPsec

communication between the boxes.

Ques. Since these rules are IP Address specific, can I generalize these rules

like VCA In & VCA Out? - with confidence that these rules will not be

overwritten again by concentrators themselves?

Ans. Nope. These are for Ipsec sessions and must be specific.

Hope these answers help, if you have any additional comments/clarifications on these, feel free to ask

Regards,

Aamir Waheed,

Cisco Systems, Inc.

CCIE#8933

-=-

0 Helpful

a.kiprawih
Level 7
Level 7
In response to awaheed

‎07-29-2002 06:27 PM

Hi Aamir,

Thank you for the info.

I wonder where can I find details for the above answer (url, etc), or any file that you could share with?

Regards,

Amrih

0 Helpful
Customers Also Viewed These Support Documents