IPSec Backup Servers

The IPSec backup servers feature provides alternatives for the VPN 3002 hardware client to connect to the central site when its primary VPN Concentrator is unavailable. Backup servers can either be configured individually on the VPN 3002 device or on a per-group basis on the central-site VPN Concentrator. When configured on the central-site VPN Concentrator, the Concentrator pushes the backup server policy to all VPN 3002 hardware clients in the group.

The following characteristics apply to the IPSec backup server feature:

• Each VPN 3002 must connect to the primary VPN Concentrator at least once to download a backup server list. A backup server list can’t be downloaded from a backup server.

• If the primary VPN Concentrator is unavailable to download the backup server list and the VPN 3002 has a previously configured backup server list, it can continue to connect to the servers on that list.

• If the VPN 3002 has tried all designated backup servers on the list and can’t connect, it doesn’t automatically retry. The following trigger a new round of attempts:

  • In Network Extension mode, the VPN 3002 attempts a new connection after four seconds.

  • In Client mode, the VPN 3002 attempts a new connection when the user clicks the Connect Now button on the Monitoring | System Status screen or when data passes from the VPN 3002 to the VPN Concentrator.

• Any changes to the configuration of the backup server’s list during an active VPN 3002 session won’t take effect until the next time the VPN 3002 connects to its primary VPN Concentrator.

• The VPN Concentrator backup servers needn’t be aware of each other.

The group name, user name, and any passwords configured for the VPN 3002 must be identical for the primary VPN Concentrator and all backup servers. Also, if interactive hardware client authentication and/or individual user authentication are configured for the VPN 3002 on the primary VPN Concentrator, they must be configured on backup servers as well.