Redudancy VPN 3030 VRRP.
Hello
So I read on the redudancy VRRP 3030 in the example that I see on the site Web of Ciscos http://www.cisco.com/warp/public/471/vrrp.html it seems that I only need two ip addresses. The main hub uses both ip VRRP addy for its own interfaces and the actual address of VRRP. Where as the backup hub watches the VRRP address and guess what addy when it no longer, but he still has is own ip address for its interfaces.
I can see the three address used for VRRP for ip address, virtual and two others for the physical interfaces on the segment. Has anyone else done this and I read this right?
Unfortunaly I really do test this with the exception of a brief outtage window and want to make sure I have everything well.
Thanks for the replies and I will note all.
Patrick
You read it right. I made a couple of these deployments, you can follow this guide to the letter.
Tags: Cisco Security
Similar Questions
-
Hi all
I had set up on VPN 3030 of load balancing. On it, he had a few problems. Firstly, 3030 high school has more RAM (512) that the primary (128). The secondary was purchased just a month back with 512 M RAM and latest OS 4.1.7.
(1) land of redirected to the secondary hub, after active LB normal VPN clients. There are more than 10-15 connections that landed on the secondary and none landed on the primary. I understand that this is because the captain now less connections... is that good? But why is there not all connections on the master?
(2) web VPN didn't work that well with load balancing enabled. HTTPS protocol and the virtual IP address does not work. When tried with the physical separately IPs, it works, but not with the virtual IP address. port 443 opens not with the virtual IP address. Why is this? can I configure something else for this?
I also noticed that once you activate load balancing, redirection is done directly on physical IP addresses, which means that end users will know the physical IP addresses and connect directly if they need. Why is this? can someone shed light on this?
REDA
To answer one of your questions, I think that primary will have connections only when the secondary a number of minimum connections...
-
Hello group,
I have a small request. I have a VPN 3030 hub, which has installed in IOS 4.1.5. I do not have the 4.1.5 image right now with me and is available for download in cisco. I need this image to another customer. Can I download the 4.1.5 IOS image from the hub? I had seen the tftp option, but it doesn't seem to work.
Kind regards
REDA
You will need to open a TAC case and they can provide it for you. Unfortunately you cannot not TFTP image off the hub.
-
Can I block the user to connect to the VPN 3030 by type of customer or version?
I would like to block some users who use to connect to our VPN 3030 client Win98 or very old version of VPN client.
Is there a way to set up my VPN 3030 so I can block customers? I don't want to push new customer for them or that you don't have a server radius or something like that to put them on an isolated network independent.
I want to configure VPN 3030, is it possible?
Thank you.
Jayesh,
Reach:
Configuration | User management | Groups
Go to the specific group and click on modify.
On the IPSec tab, you will see a section for:
Customer type & Version limiting
For example:
p *: 4.7*
This will allow the version 4.7 of customers.
See you soon
Gilbert
Write it down, if it can help
-
Impossible to get WebVPN working on chassis VPN 3030
This v4.1.7P chassis works perfectly for our installation of the client vpn Cisco, no problem. We have decided to extend its usefulness by turning on and configuring WebVPN.
I did it on a router IOS, Cisco 1841, works very well, so I'm following the same basic procedure to activate it on our vpn 3030.
But when trying to connect to the vpn 3030 to the public interface of an internet ISP, I even don't get a login window, error, same no nothing. Finally the browser times out and stops.
I did all the usual steps to enable WebVPN, yet nothing seems to work. I can't admin the box fine internally via https, so I know that work self-signed certificates.
Any ideas where the attack of this of?
Thanks, Jeff
Hi Jeff,
Try to upgrade to 4.7.x
This generation of OS is fully operational with WebVPN.
You can ignore the Client SSL part and troubleshoot why didn't not now works for your environment.
For a complete list of commands/options check:
Please rate if this helped.
Kind regards
Daniel
-
Hi all
Asked me to configure the load balancing between two hub Cisco VPN (Cisco VPN 3030).
I set up two such boxes mentioned in the cisco Web site
[url] https://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094b4a.shtml [url]
After you enable VPN load balancing, I get the error described for 30 seconds.
Quote:
Master double detected LBSSF [0003a 0889463] and going to SLAVE
One of my friends said me that try with encryption active but not different.
I searched in google but did not get any solution. I am now hlepless. If any of you guys have met this kind of problem before could you please help to solve this problem...
Thank you
Please set each device to have different priorities and then charge two devices.
If this does not work then you can confirm your settings of the VCA have been properly configured and applied to the public interface? The following links provide more details on how to configure filters VCA:
https://www.Cisco.com/en/us/products/HW/vpndevc/ps2284/products_tech_note09186a0080094b4a.shtml#C2
Kind regards
ATRI -
Unauthorized access admin on VPN 3030.
Hello
ACS 4.1
2 x 3030 concentrators ver 4.7
I have problems with administrative access to our backup c3030 VPN via GANYMEDE.
Scenario: We have a live and a c3030 backup. They will be configured VRRP failover in case of failure on the direct c3030. The direct c3030 is enabled on GANYMEDE and all access is fine.
According to the doc cisco here:
.. .privilege level is set to 15 on the admin on the c3030 user as well as on the GANYMEDE group, as I have said - everything works fine on the direct c3030.
I now backup c3030 added the same device group of GANYMEDE network and configured the c3030 with exactly the same setup ACS as the direct c3030. We can log to the backup c3030 via GANYMEDE, we cannot access the admin section and get the error "you don't have sufficient permission to access the specified page.".
This was curious me for quite awhile, it there's nothing I can find on the web and short to wipe the backup c3030 and back that I'm not sure that there is something we can do?
I hope that someone out there encountered this problem?
See you soon.
I wanted to make sure was, when we try to connect to VPNC (backup), the newspaper of Pass that we obtain NAS IP address as private IP of the interface on the ACS reports. It is, then that's fine.
This may sound weird, if you have multiple local users on VPNC with 'same' privilege level, change them at the level of different privileges and keep admin 15. And then try again. I think you should have access to consoles, do?
Kind regards
Prem
Please rate if this can help!
-
Hello
I try to install a digital certificate from verisign on a vpn (version 4.1.6). hub This certificate must be used for WebVPN - HTTPS (SSL).
When I try to install the SSL certificate I get following error message:
Installation of SSL certificate error: incomplete chain.
(The certificate has a term until 2006. The only note that I found on CCO is that the duration of the certificate is then more 2048).
Has anyone an idea what is the problem?
Thanks Horst
Generally, you will get this message if you have not loaded the cert CA (root) on the 3000 before trying to load the identity cert. You cannot have a certificate of identity for SSL from an external CA server without going through the cert root since this CA server installed also.
Go to Administration - certificate Mgmt - click here to install a certification authority, install first, then install the SSL certificate.
-
The concentrator vpn 3030 to 4.0.1 upgrade
Hello
Please let me know about the minimum memory required to put Worm worm 4.0.1 3.6 VPN concentrator. Currently, I have only 128 MB, is it enough for the upgrade or do we need a upgrade memory too.
Thank you
Salim
You don't need a memory upgrade to concentrator, go ahead and upgrade the code in this topic.
-
Urgent question about loading image file to boot to a concentrator VPN 3030
Hi Netpros,
I really hope someone can help me with this URGENT matter. I have an upgrade in 12 hours. By reading the Cisco documentation, I also need to upgrade the boot image file. Here's my question... the cisco image file name is vpn30xxboot - 4.0.Rel.hex but the VPN concentrator would accept 8.3 file names i.e. BOOT file format. TXT... so the question is is it OK to just keep the same hexagonal extension without causing damage to the file... That is, name the file BOOT - 4.hex... your comments are very much appreciated...
Fernando,
Take it out '-' usage just and naming BOOT40.hex
What type of hub? If it's a 3005, you wouldn't need an upgrade of startup code.
There is enough of an upgrade of startup code if memory is upgraded from 256 to 512 MB - just an info.
Good luck in your upgrade.
See you soon
Gilbert
-
IPSec over TCP works on VPN 3030 interface (3) external?
I configured the third external interface and can connect with the ESP and UDP tunnel, but not with IPsec over TCP.
The customer says:
Unexpected TCP control packet received a.b.c.d, src port 10000, port dst 4408, flags 14: 00
the hub said nothing, although I tried several event classes
the document said "IPSec over TCP works with the VPN client software and hardware VPN 3002 client. It only works on the public interface. It is a client to the function of hub only. It does not work for LAN-to-LAN connections. "
This means - it works on the public interface real, physical?
or it should work on the external interface if I click on the checkbox to its public interface?
Thanks for any advice,
Martin
IPSec over TCP is designed to operate only on the real public interface #2.
There were a few technical reasons behind it, among them:
(1) some clients cancel their tunnels on the private interface (one-arm-config) and that would cause a headache when trying to HTTP through the VPN 3000 if IPSec/TCP has been installed for Port 80/443. We decided to pull out of the private Interface.
(2) that the external interface #3, we have chosen not to enable IPSec/over TCP Dynamics fielterso n it mainly because of the load balancing.
Since the LB only works on real public interface #2, even once, we chose to leave
IPSec/TCP out of it.
Nelson
-
3030 router Cisco LAN to LAN VPN, can only mount router tunnel
I am unable to raise atunnel from inside my VPN concentrator 3030 (IOS 3.5.2) tunnel 3 uses Ethernet as the side private tunnel. Is there some kind of problem on the VPN 3030 internally that does not use the Ethernet IP source 3? Once triggered on the remote side, the tunnel passes and receives traffic and I can ping devices on the remote side of my private network, but I can't ping any remote device from inside the VPN 3030.
Do you mean that you can now view the tunnel of something related to the 10.255.0.0/24 network, but no ping comes from the VPN3030 itself?
When you ping the VPN3030 it will automatically use the private IP address I think. Debugging isn't warning us whatever it is the first that you attached is where the Diffie-Hellman group was incompatible. If you have passed Phase 1 but, you will see a debug on the router that is similar to the following message:
* 26 Nov 08:51:37.901: IPSEC (validate_proposal_request): part #1 of the proposal
(Eng. msg key.) Local INCOMING = 204.74.161.161, distance = 216.34.168.148,.
local_proxy = 10.1.215.0/255.255.255.0/0/0 (type = 4),
remote_proxy = 10.255.0.0/255.255.255.0/0/0 (type = 4),
Protocol = ESP, transform = esp-3des esp-md5-hmac,
lifedur = 0 and 0kb in
SPI = 0 x 0 (0), id_conn = 0, keysize = 0, flags = 0 x 4
Here you can see that the remote_proxy is 10.255.0.0, which shows that the 3030 uses this network as the source subnet. If you try and ping from the 3030 again run debugging, you will probably see the 172.16.0.0 (the private interface) as the remote_proxy.
Why is it important that you cannot bring up the tunnel within the 3030 anyway? When would you like to do this?
-
in a cluster of vpn config sync
Hi people,
does anyone know how two concentrators vpn 3030 with VRRP active synchronize their configuration? I've yet to find a docu. I guess he's working on VRRP advertisements. I don't think, if you configure a secure connection, you need to do synchronization when backing up by hand. Go automatic.
TKS in advance
Thomas
Yes, you must manually configure both systems. We all feel your pain. In fact, someone asked for the feature accurate that you are looking for, shown in bug CSCdv88787request. He has been in a looooong long and (obviously) still is not implemented. So don't hold your breath.
HTH,
Mike
-
Hello
It is as sure to fix the public interface on a VPN 3000 Concentrator on the internet? Or should there be a firewall in front.
I understand that the public interface is "hardcoded" and only open ports you'd pass firewall anyway, but I just wanted to check with experts to ensure that :-)
Peter
Hi Peter,.
I don't think there are major problems involving the public interface of VPN 3030 Internet. It is means in reality for public access... it is a little hardened to allow only specific protocols... If you have an ID, you can monitor the traffic on this interface and shun unnecessary connections if necessary... you also have filters on the public interface, which allows you to restrict the traffic...
set the vpn behind a firewall increases the complexity of your network. You may as well have this behind, but it will be a little complicated.
I hope this helps... all the best
REDA
-
Migration of 3030 to platform ASA?
Is it kind of automatically migrating my configuration of VPN 3030 a platform to ASA?
(I hope of course or this migration will be an excruciating experience)
Is there advice to migration?
Take a look at the following links...
http://www.Cisco.com/en/us/products/ps6120/products_installation_guide_chapter09186a00805a899c.html
http://www.Cisco.com/en/us/docs/security/ASA/asa71/vpn3000_upgrade/upgrade/guide/mievent.html
Maybe you are looking for
-
The MacBook Air hardware service
Could you please tell what are the services of material allowed for MacBook Air in Bulgaria?
-
Satellite Pro U300 - Notification callback on the registration Web page
Hello I just bought a Satellite Pro U300, but after the finalization of the recording of the laptop, I always get the icon in the tray - toshiba notification - sign up for my laptop. When I accept, I have already all the information for my registrati
-
My account has been suspended that I've just updated my password of mew. but I can't call to any
costomer service is expensive. These days, my account has been suspended today I had the link, then I change my password. but I fortunatley I have a credit on this account for calls to the India. but now I can not call to the India. pls solve my prob
-
Equium L40-14i - where to find the SATA drivers?
Can someone tell me where I can get the SATA drivers to allow me to install Windows XP on the machine? I scoured the net, but I can't find anything definitave. I managed to find a few ece files, but windows will not let me check out them! Please help
-
HP 250 G4: Yet I am interesting in the upgrade of my GPU (laptop)
I have a computer laptop g4 250 HP with an intel i5-5200u and integrated graphics card HD 5500. I've heard a thousand times that it is impossible to add a dedicated gpu on a laptop, but: HP provides aservice guide with the largest part of the laptop.