The Virtual Router Redundancy Protocol (VRRP) eliminates the single
point of failure inherent in the static default routed environment. VRRP
specifies an election protocol that dynamically assigns responsibility for a
virtual router (a VPN 3000 Series Concentrator cluster) to one of the VPN
Concentrators on a LAN. The VRRP VPN Concentrator that controls the IP
address(es) associated with a virtual router is called the Master, and forwards
packets sent to those IP addresses. When the Master becomes unavailable, a
backup VPN Concentrator takes the place of the Master.
Note: Refer to "Configuration | System | IP Routing | Redundancy" in the
Concentrator Series User Guide or the online Help for that section of
the VPN 3000 Concentrator Manager for complete information on VRRP and how to
There are no specific requirements for this document.
The information in this document is based on the Cisco VPN 3000 Series
The information in this document was created from the devices in a
specific lab environment. All of the devices used in this document started with
a cleared (default) configuration. If your network is live, make sure that you
understand the potential impact of any command.
Technical Tips Conventions for more information on document
Redundant VPN Concentrators are identified by
A single Master is chosen for the group.
One or more VPN Concentrators can be Backups of the group's Master.
The Master communicates its state to the Backup devices.
If the Master fails to communicate its status, VRRP tries each Backup
in order of precedence. The responding Backup assumes the role of Master.
Note: VRRP enables redundancy for tunnel connections only. Therefore, if
a VRRP failover occurs, the backup only listens to tunnel protocols and
traffic. Pinging the VPN Concentrator does not work. Participating VPN
Concentrators must have identical configurations. The virtual addresses
configured for VRRP must match those configured on the interface addresses of
VRRP is configured on the public and private interfaces in this
configuration. VRRP applies only to configurations where two or more VPN
Concentrators operate in parallel. All participating VPN Concentrators have
identical user, group, and LAN-to-LAN settings. If the Master fails, the Backup
begins to service traffic formerly handled by the Master. This switchover
occurs in 3 to 10 seconds. While IPsec and Point-to-Point Tunnel Protocol
(PPTP) client connections are disconnected during this transition, users need
only to reconnect without changing the destination address of their connection
profile. In a LAN-to-LAN connection, switchover is seamless.
This procedure shows how to implement this sample configuration.
On the Master and Backup systems:
Select Configuration > System > IP Routing >
Redundancy. Change only these parameters. Leave all other parameters
in their default state:
Enter a password (maximum of 8 characters) in the Group Password
Enter the IP addresses in the Group Shared Addresses (1 Private)
of Master and all Backup systems. For this example, the address is 10.10.10.1.
Enter the IP addresses in the Group Shared Addresses (2 Public)
of Master and all Backup systems. For this example, the address is
Go back to the Configuration > System > IP Routing
> Redundancy windows on all units and check Enable
Note: If you configured Load Balancing between the two VPN
Concentrators before and you are configuring VRRP on them, make sure you take
care of the IP address pool configuration. If you use the same IP pool as
before, you need to change them. This is necessary because the traffic from one
IP pool in a Load Balancing scenario is directed to only one of the VPN
This procedure shows how to synchronize the configuration from Master
to Slave either by doing load balancing or primary to secondary if doing VRRP.
On Master or Primary, select Administration >
File Management and from the CONFIG row click
When the web browser opens with the configuration, highlight and
copy the configuration (cntrl-a, cntrl-c).
Paste the configuration in WordPad.
Select Edit > Replace and
enter the public interface IP address of Master or Primary in the Find What
field. In the Replace With field, enter the IP address that you plan to assign
on the Slave or Backup.
Do the same for the private IP and the external interface if you
have it configured.
Save the file and give it a name that you choose. However, ensure
you save it as a "text document" (for example, synconfig.txt).
You cannot save as .doc (the default) and then
change the extension later. The reason is because it saves the format and the
VPN Concentrator only accepts text.
Go to the Slave or Secondary and select
Administration > File Management >
Enter config.bak in the File on the VPN 3000
Concentrator field and browse to the saved file on your PC (synconfig.txt).
Then click Upload.
The VPN Concentrator uploads it and automatically changes the
synconfig.txt to config.bak.
Select Administration > File
Management > Swap Configuration Files and click
OK to make the VPN Concentrator boot up with the uploaded
After you are redirected to the System Reboot window, leave the
default settings and click Apply.
After it comes up, it has the same configuration as the Master or
Primary with the exception of the addresses that you previously changed.
Note: Do not forget to change the parameters in the Load Balancing or
Redundancy (VRRP) window. Select Configuration >
System > IP Routing >
Note: Alternatively, select Configuration >
System > Load