cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
340
Views
0
Helpful
3
Replies

VPN issues

c.ong
Level 1
Level 1

1. With 2 units of Concentrator 3080, which method should I implement, VRRP or Load Balance to achieve robustness and service availablity. What are the things need to be justified for both, VRRP and Load Balance?

2. How to properly documented the VPN configuration rather than doing the screenshots of HTML pages, eg XML?

3. When I login to concentrator manager using TACACS+, this session seems to use up simulatenous login allowed. But again, there're some inconsistencies too with regards to which authentication done first - see below. Please explain. Note that for this experiment,

there's no limitation on # of logins on both our CSACS and Novell LDAP server. And of course, I use the same id for all these experiments:

(a) Group's simultaneuos login=1; concentrator manager=success; vpn client=fail.

(b) Group's simultaneuos login=1; vpn client=success; concentrator manager=fail.

(a) Group's simultaneuos login=2; concentrator manager=success; vpn client=success.

(b) Group's simultaneuos login=2; vpn client=success; concentrator manager=fail.

(a) Group's simultaneuos login=1000; concentrator manager=success; vpn client=success.

(b) Group's simultaneuos login=1000; vpn client=success; concentrator manager=fail.

When login to concentrator manager fails, the log says...

23129 07/11/2002 15:51:39.210 SEV=3 AUTH/5 RPT=31

Authentication rejected: Reason = Simultaneous logins exceeded for user

handle = 191, server = 10.230.6.225, user = xxx, domain = <not specified>

From the above experiment, I found out that I can't access concentrator manager whenever I am already in VPN session(client). How do I manage the concentrator remotely?

Thanks.

3 Replies 3

gfullage
Cisco Employee
Cisco Employee

1. Depends on what you really want. With both types, VPN clients connections are going to drop out if one concentrator fails. If you're using VRRP, all the client connections will drop out, but they'll be able to reconnect back in. With load balancing, only half the connections will drop out and they'll be able to reconnect back in. Personally I prefer load balancing.

2. There's really no good way to document the config changes. The config is written as a plain text file and sort of looks like an old win.ini file, so it's not overly intuitive to look at. Really putting in screen shots is the best way (you'll see these in all the sample configs on www.cisco.com).

3. Hmmmm, this is a strange one. Looks like it's hitting sdome limit either in the 3000 group or on the ACS server. The TACACS admin login shouldn't be using up a login for the group, so it may be a bug, or it may be hitting a limit on the ACS server. The log error certainly seems to indicate it's hitting the 3000 concentrator limit, cause if it was on the ACS server you wouldn't see that kind of log message. Maybe open a TAC case and see if they can recreate it for you.

sneeland
Level 1
Level 1

Was there ever a successful solution to:

2. How to properly documented the VPN configuration rather

than doing the screenshots of HTML pages, eg XML?

I have been able to FTP the config file to another system (IBM/MVS) that I use that data as input on, and I create a listing of the 'groupnames'. It would really be nice to have a way to create reports like 'Show me all ids that can access 1.2.3.4

If anyone has come up with any solutions, I would really appreciate an email to steve.neeland@americawest.com so I can quit banging my head on my desk.....

Thanks!!!

john.gudmann
Level 1
Level 1

Q3 ) On what group are you sitting the "Group's simultaneous login=1"; Base group? It has to be the base group because this were you first get auth. and than it checks the group settings

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: