This section explores the features that you can use on the VPN 3000 series concentrator to avoid experiencing a single point of failure for both LAN-to-LAN and Remote Access Client tunnels. In today's network, resiliency with the VPN connection is very crucial. The VPN 3000 Concentrator includes three features that ensure high availability. The following sections delve into the details of these three features.
Redundancy Using VRRP
As the name implies, the Virtual Router Redundancy Protocol (VRRP) provides redundancy for VPN connection to the Concentrator. When you have two or more Concentrators sitting in parallel in your network, you can configure VRRP so that a user can access to the VPN even if one VPN Concentrator is out of service because of a system crash, power failure, hardware failure, physical interface failure, or system shutdown or reboot. In VRRP imple-mentation, Redundant VPN Concentrators are identified by group, a single Master is chosen for the group, and one or more VPN concentrators can be backups of the group's Master. The Master communicates its state to the backup devices, and if the Master fails to communicate its status, VRRP tries each backup in order of precedence. Then the responding backup assumes the role of Master.
In the case of IPsec LAN-to-LAN connections, switchover is fully automatic. This means that when the tunnel is dropped, a new tunnel is re-established automatically and this process is transparent to the LAN-to-LAN users. But, for Remote Access VPN clients, when users are disconnected from the failing system, users are notified of the disruption and can reconnect without changing any connection parameters. Typically switchover occurs within 3 to 10 seconds.
Following are some important points to remember when implementing VRRP in your VPN 3000 series Concentrators deployment:
The following procedure shows how to configure VRRP on the Master and backup systems:
As mentioned before, VRRP is used for high availability not for load sharing. For redundancy and load sharing for VPN Client, you must use clustering, which is discussed next. It is important to note that you must not configure VRRP with Clustering. If both Load Sharing and Redundancy are required for Remote Access VPN, configure Clustering only.
Redundancy and Load Sharing Using Clustering
Clustering provides a robust redundancy mechanism by way of load sharing for a Remote Access VPN Client. If you have two or more VPN concentrators sharing the same private network, you should consider configuring clustering, which will give you both load sharing and backup features. When you have all the VPN concentrators up and load sharing is configured, load balancing directs session traffic to the least loaded device. In this way, load balancing distributes the load among all devices. It makes efficient use of system resources and provides increased performance and high availability.
Logically two or more concentrators are on the same LAN and public networks are grouped together into a virtual cluster to implement load sharing. All the concentrators in the virtual cluster carry session loads; however, one VPN concentrator in the virtual cluster acts as the virtual cluster Master that directs incoming calls to the other concentrators, called secondary devices. The virtual cluster Master monitors all devices in the cluster, tracks how busy each is, and distributes the session load accordingly.
The role of virtual cluster Master is not tied to a physical device; it can shift among devices. Selection of a virtual cluster Master is interesting. If the devices in the virtual cluster are powered up at different times, the first device powered up assumes the role of the virtual cluster Master, and the remainder become secondary devices. If all the devices in the virtual cluster are powered up at the same time, the highest-priority device becomes the virtual cluster Master. However, in these circumstances, if more than one device has the same highest priority, the one with the lowest IP address becomes the virtual cluster Master. When the Master fails, one of the secondary devices becomes Master based on priority, and if the devices are at the same priority level, then the decision will be based on the lowest IP address.
As priority plays an important role, it is very important that you assign the proper priority to devices. If your network has different models of VPN Concentrators, the rule of thumb is to choose the device with the greatest load capacity to be the virtual cluster Master. Therefore, assign the highest priority. Table 8-7 shows recommended priorities that are based on different models of hardware capacity. However, if you have the same models of VPN 3000 concentrators, use configure priority 10 for all the devices to shorten the decision-making time to select the virtual cluster Master.
The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not tied to a specific physical device. It belongs to the current virtual cluster Master; hence, it is virtual. A VPN client attempting to establish a connection connects first to this virtual cluster IP address. The virtual cluster Master then sends back to the client the public IP address of the least-loaded available host in the cluster. In a second transaction (transparent to the user), the client connects directly to that host. In this way, the virtual cluster Master directs traffic evenly and efficiently across resources.
If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP address. The virtual cluster Master then directs these connections to another active device in the cluster. Should the virtual cluster Master itself fail, a secondary device in the cluster immediately and automatically takes over as the new virtual session Master. Even if several devices in the cluster fail, users can continue to connect to the cluster as long as any one device in the cluster is up and available.
Load balancing works only for remote access VPNs with Cisco VPN Client Release 3.0 and later, or Cisco VPN 3002 Hardware Client Release 3.5 and later. All other clients, including LAN-to-LAN connections, can connect to the VPN concentrator on which load balancing is enabled, but they cannot participate in load balancing. Clustering can only be used as an alternative to VRRP. It is not possible to use both options simultaneously.
Work through the following procedure to configure clustering:
Follow steps 1 through 16 to configure the remainder of the concentrators participating in clustering.
Redundancy Using IPsec Backup Servers
If you do not want to configure VRRP, or a cluster for Remote Access VPN redundancy, you can accomplish this by configuring the IPsec Backup Servers. You can configure a backup server in either of the two ways: