Redundancy and Load Sharing Using Clustering
Clustering provides a robust redundancy mechanism by way of load sharing for a Remote Access VPN Client. If you have two or more VPN concentrators sharing the same private network, you should consider configuring clustering, which will give you both load sharing and backup features. When you have all the VPN concentrators up and load sharing is configured, load balancing directs session traffic to the least loaded device. In this way, load balancing distributes the load among all devices. It makes efficient use of system resources and provides increased performance and high availability.
Logically two or more concentrators are on the same LAN and public networks are grouped together into a virtual cluster to implement load sharing. All the concentrators in the virtual cluster carry session loads; however, one VPN concentrator in the virtual cluster acts as the virtual cluster Master that directs incoming calls to the other concentrators, called secondary devices. The virtual cluster Master monitors all devices in the cluster, tracks how busy each is, and distributes the session load accordingly.
The role of virtual cluster Master is not tied to a physical device; it can shift among devices. Selection of a virtual cluster Master is interesting. If the devices in the virtual cluster are powered up at different times, the first device powered up assumes the role of the virtual cluster Master, and the remainder become secondary devices. If all the devices in the virtual cluster are powered up at the same time, the highest-priority device becomes the virtual cluster Master. However, in these circumstances, if more than one device has the same highest priority, the one with the lowest IP address becomes the virtual cluster Master. When the Master fails, one of the secondary devices becomes Master based on priority, and if the devices are at the same priority level, then the decision will be based on the lowest IP address.
As priority plays an important role, it is very important that you assign the proper priority to devices. If your network has different models of VPN Concentrators, the rule of thumb is to choose the device with the greatest load capacity to be the virtual cluster Master. Therefore, assign the highest priority. Table 8-7 shows recommended priorities that are based on different models of hardware capacity. However, if you have the same models of VPN 3000 concentrators, use configure priority 10 for all the devices to shorten the decision-making time to select the virtual cluster Master.
Table 8-7. Priority Suggestions for VPN Concentrators VPN Concentrator Model
Priority Default
3005
1
3015
3
3030
5
3060
7
3080
9
The virtual cluster appears to outside clients as a single virtual cluster IP address. This IP address is not tied to a specific physical device. It belongs to the current virtual cluster Master; hence, it is virtual. A VPN client attempting to establish a connection connects first to this virtual cluster IP address. The virtual cluster Master then sends back to the client the public IP address of the least-loaded available host in the cluster. In a second transaction (transparent to the user), the client connects directly to that host. In this way, the virtual cluster Master directs traffic evenly and efficiently across resources.
If a machine in the cluster fails, the terminated sessions can immediately reconnect to the virtual cluster IP address. The virtual cluster Master then directs these connections to another active device in the cluster. Should the virtual cluster Master itself fail, a secondary device in the cluster immediately and automatically takes over as the new virtual session Master. Even if several devices in the cluster fail, users can continue to connect to the cluster as long as any one device in the cluster is up and available.
Note
Load balancing works only for remote access VPNs with Cisco VPN Client Release 3.0 and later, or Cisco VPN 3002 Hardware Client Release 3.5 and later. All other clients, including LAN-to-LAN connections, can connect to the VPN concentrator on which load balancing is enabled, but they cannot participate in load balancing. Clustering can only be used as an alternative to VRRP. It is not possible to use both options simultaneously.
Work through the following procedure to configure clustering:
Step 1. Identify the filters that you have applied on the interfaces by browsing to Configuration > Interfaces window.
Step 2. Open the Configuration > Policy Management > Traffic Management > Filters window.
Step 3. Select the filter you have applied to the Private interface from Filter list.
Step 4. Click on Assign Rules to Filter to open the Configuration > Policy Management > Traffic Management > Assign Rules to Filter window.
Step 5. Make sure that VCA In (forward/in) and VCA Out (forward/out) are in the Current Rules in Filter list. If they are not in this list, add them and then click Done.
Step 6. Follow steps 1 through 4 for the Public interface as well. Click the Save Needed icon to save your edits.
Step 7. Open the Configuration > System > Load Balancing window to enable and configure load balancing as shown in Figure 8-11.
Figure 8-11. Sample Configuration of cluster on a Concentrator
[View full size image]
Step 8. Enter an IP address in the VPN Virtual Cluster IP Address box from the Public interface IP address network. This is the address VPN Client uses to connect.
Step 9. In the VPN Virtual Cluster UDP Port, keep the default port unless another application is using this port in your network.
Step 10. Check the Encryption check box to enable encryption for the communication among the clustering devices.
Step 11. If you have Encryption checked, specify an IPsec Shared Secret that is common among the Concentrators in the virtual cluster group.
Step 12. Check WebVPN Redirect via DNS if you want to enable DNS redirection instead of IP Address redirection for WebVPN sessions.
Step 13. Under Device Configuration, check the Load Balancing Enable check box to include this VPN Concentrator in the virtual cluster.
Step 14. For Priority, enter a value between 110 (refer to Table 8-7 to make this decision).
Step 15. In the NAT Assigned IP Address text box, enter the translated (public) IP address if this device is behind a NAT device and the IP of this box is translated by the NAT devices. Otherwise, leave it at the default, which is 0.0.0.0.
Step 16. Click Apply and finally Save to complete the configuration of one of the concentrator participants of the virtual cluster.
Follow steps 1 through 16 to configure the remainder of the concentrators participating in clustering.
Redundancy Using IPsec Backup Servers
If you do not want to configure VRRP, or a cluster for Remote Access VPN redundancy, you can accomplish this by configuring the IPsec Backup Servers. You can configure a backup server in either of the two ways:
Manually on the VPN Client You can add multiple host names or IP addresses of VPN Concentrators or clusters per connection on Remote Access VPN Client. To do that, click on Backup Servers tab and then Add, which will allow you to define the VPN Concentrator or the cluster's name or IP address. Be sure to check Enable Backup Servers. On the VPN Concentrator, be sure that you configure User Client Configured List for IPsec Backup Servers under Client Config tab of group configuration under Configuration | User Management | Groups | Modify.
Automatically Push from the VPN Concentrator You can configure group profiles on VPN Concentrator so that VPN Concentrator will push the IPsec Backup Servers list to the VPN Client after the successful connection establishment. To perform this task, go to Configuration > User Management > Groups > Modify to edit the group. Then go under Client Config tab, and select Use List Below for the IPsec Backup Servers. Be sure to define the list of the Backup Concentrators in the box provided.