32-11
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter32 Managing Remote Access VPNs on IOS and PIX 6.3 Devices
Configuring High Availability in Remote Access VPNs (IOS)
Configuring High Availability in Remote Access VPNs (IOS)
Use the High Availability page to configure a High Availability (HA) policy on a Cisco IOS router or
Cisco Catalyst switch in a remote access VPN.
In Security Manager, High Availability (HA) is supported by the creation of an HA group made up of
two or more devices that use Hot Standby Routing Protocol (HSRP) to provide transparent, automatic
device failover. By sharing a virtual IP address, the devices in the HA group present the appearance of
a single virtual device or default gateway to the remote access users. One device in the HA group is
always active and assumes the virtual IP address, while the others are standby devices. The devices in
the group watch for hello packets from active and standby devices. If the active device becomes
unavailable for any reason, a standby device takes ownership of the virtual IP address and takes over the
remote access VPN. This transfer is seamless and transparent to remote access users.
Stateful SwitchOver (SSO) is used to ensure that state information is shared between the HSRP devices
in the HA group. If a device fails, the shared state information enables the standby device to maintain
IPsec sessions without having to re-establish the tunnel or renegotiate the security associations.
Tips
When configuring an HA group, you must provide an inside virtual IP that matches the subnet of
one of the interfaces on the device, in addition to a VPN virtual IP that matches the subnet of one of
the device’s interfaces and is configured with an IPsec proposal. See Configuring an IPsec Proposal
on a Remote Access VPN Server (IOS, PIX 6.3 Devices), page 32-3.
A remote access VPN server device on which HA is configured cannot be configured as a hub in a
site-to-site VPN topology on which HA is configured, using the same outside interface that was used
for the remote access VPN server.
Step 1 Do one of the following:
(Device view) With an IOS device selected, select Remote Access VPN > IPSec VPN > High
Availability from the Policy selector.
(Policy view) Select Remote Access VPN > IPSec VPN > High Availability from the Policy Type
selector. Select an existing policy or create a new one.
The High Availability page opens.
Step 2 Configure the options explained in the following table.