CCNP Security VPN FAQ: Configuring Scalability Features of the VPN 3002 Hardware Client

CCNP Security VPN FAQ: Configuring Scalability Features of the VPN 3002 Hardware Client

Q1. What are the ramifications an administrator should consider when planning to use Virtual Router Redundancy Protocol (VRRP) along with reverse route injection (RRI)?

Answer: VRRP (Virtual Router Redundancy Protocol) and RRI (Reverse Route Injection) are incompatible and should not be used together.

Q2. You wish to inject a route from the VPN Concentrator to the VPN 3002 Hardware Client. What routing protocol must you use?

Answer: You must use OSPF if you wish to use the VPN Concentrator to advertise a route to the VPN 3002 Hardware Client.

Q3. You wish to use RIPv1 with Reverse Route Injection. Can this be done?

Answer: You must use RIPV2.

Q4. You are using a backup IPSec server because the primary server was down when the initial tunnel was initiated. The primary server is now up. Will the VPN 3002 Hardware Client restore a connection to the primary? If so, when?

Answer: The connection to the primary server will only be reestablished after a connection to the backup server is terminated.

Q5. What is the timeout period used when attempting to connect to the primary concentrator before a connection will be attempted to a secondary concentrator?

Answer: The timeout period is 8 seconds.

Q6. You tried to connect to your primary concentrator from your VPN 3002 Hardware Client but were unsuccessful. Your 3002 Hardware Client then attempted to connect to your backup concentrator without success. When will the VPN 3002 Hardware client try again?

Answer: Once a VPN 3002 Hardware Client goes through its list of backup concentrators, it will not attempt any more connections until the Connect Now button on the Monitoring | System Status screen is clicked.

Q7. How is load balancing enabled on the VPN 3002 Hardware Client?

Answer: The load-balancing feature is automatic on the VPN 3002 Hardware Client

Q8. You have three VPN 3015 Concentrators on the same network. Assuming default priority settings, which one will be elected to balance the load?

Answer: The first VPN 3015 Concentrators on the network will balance the load

Q9. What factors are considered for VPN 3000 Concentrator load balancing with VPN 3002 Hardware Clients or remote access VPN clients?

Answer: Total number of connections, the number of connections on each VPN Concentrator, and the total number of connecting clients are the factors considered during load balancing.

Q10. Which debug class or classes should you enable in order to debug an auto-update?

Answer: The auto-update class is all that is necessary for debugging an auto-update.

Q11. What types of clients may use the auto-update feature?

Answer: Only Windows-based clients and the VPN 3002 Hardware Client can use the autoupdate feature.

Q12. When a software update is pending, during the connection process, the concentrator sends a message indicating the IP address of the TFTP server and the software version to be downloaded. What type (protocol) is this message?

Answer: This is an ISAKMP message.

Q13. What client type(s) are permissible to be set on the VPN Concentrator for upgradingclients when using the VPN 3002 Hardware Client?

Answer: Because only the VPN 3002 Hardware Client is able to be upgraded, the only permissible value is vpn3002.

Q14. On the VPN Concentrator, what is the syntax used to specify the TFTP server and thefilename used for updating the client software?

Answer: The syntax is tftp://{IP address of server}/{filename}

Q15. You have configured auto-update to occur. Which device, the VPN Concentrator or the VPN 3002 Hardware Client, recognizes that the software must be updated?

Answer: The VPN 3002 Hardware Client recognizes that the software needs to be updated and starts the update process.

Q16. How is the VPN 3000 Concentrator configured to notify VPN 3002 Hardware Clients that a new software upgrade is available?

Answer: Using the VPN 3000 Concentrator Series Manager, go to Administration | Software
Update | Clients.
Choose the group
Select Upgrade Clients Now

Q17. Your VPN 3002 Hardware Client attempts to auto-update. The system appears to “hang” and eventually times out on the download portion of the process. What are two likely causes?

Answer: The two most likely causes are that your VPN 3002 Hardware Client either cannot connect to the TFTP server or the Client does not have sufficient permissions on the server to download the software.

Q18. You have tried to upgrade your VPN 3002 Hardware Client. However, the VPN 3002 Hardware Client keeps trying to upgrade without success. You know that you have connectivity. You can see in the logs that you have been downloading the file. What is the problem?

Answer: The problem is that you have entered an incorrect version number in the VPN Concentrator. If you can see that the file has been downloaded but it still tries to update the software, this is the only explanation.

Q19. Why will some applications not work with either NAT or PAT?

Answer: Some applications, especially very old DOS applications, were written before the OSI model was fully accepted. These applications embed the workstation address within the data instead of relying on TCP/IP to carry the IP address. These programs will fail using either NAT or PAT because the message will be sent back to the workstation address within the data, not the workstation address that was translated.

Q20. Why will PAT cause problems with some applications whereas NAT does not cause these problems?

Answer: Some applications expect to use specific ports. Because PAT changes the ports used, this can cause problems with this type of application.

Q21. What are two main differences between NAT and PAT?

Answer: The first difference between NAT and PAT is that NAT is a one-to-one translation while PAT is a one-to-many translation. The second major difference is that PAT translates ports (either TCP or UDP) as well as source or destination addresses.

Q22. Why is UDP Transparent IPSec (IPSec over UDP) usable with either NAT or PAT when IPSec over TCP is not usable over PAT?

Answer: UDP Transparent IPSec bypasses the effects of NAT and PAT by encapsulating the data traffic within new UDP packets.

Q23. You are using UDP Transparent IPSec on your VPN 3002 Hardware Client. How are filters applied to inbound traffic? How are filters applied to outbound traffic?

Answer: Traffic inbound is decrypted before routing. Traffic outbound is routed and then encrypted.

Q24. What minimum version does the VPN Concentrator have to be running in order to use UDP NAT Transparent IPSec? What version is required on the VPN 3002 Hardware Client?

Answer: Both the VPN Concentrator and the VPN 3002 Hardware Client must be running version 3.0.3 or later software.

Q25. What is the default port for IPSec over UDP?

Answer: The default port is 10000.

Q26. When using IPSec over TCP, how are IKE and IPSec protocols handled in relation to NAT?

Answer: The whole packet is encapsulated within a new IP packet. This allows the new packet to have its source address changed by NAT and the source address and port changed by PAT without worrying about encryption or decryption of the original data.

Q27. You are planning on terminating your VPN 3002 Hardware Client’s VPN tunnel on a Microsoft Proxy Server. Should you use UDP NAT Transparent IPSec (IPSec over UDP) or IPSec over TCP?

Answer: You must use UDP NAT Transparent IPSec because IPSec over TCP will not work with a proxy server.

Q28. What are the ramifications an administrator should consider when planning to use VRRP along with RRI?

Answer: VRRP (Virtual Router Redundancy Protocol) and RRI (Reverse Route Injection) are incompatible and should not be used together.

Q29. You wish to inject a route from the VPN Concentrator to the VPN 3002 Hardware Client. What routing protocol must you use?

Answer: You must use OSPF if you wish to use the VPN Concentrator to advertise a route to the VPN 3002 Hardware Client.

Q30. You wish to use RIPv1 with Reverse Route Injection. Can this be done?

Answer: No. You must use RIPV2.

Q31. Which screen on the VPN Concentrator is used to configure RRI with OSPF?

Answer: The Configuration | System | IP Routing | OSPF screen is used for configuring RRI with OSPF.

Q32. You are using a backup IPSec server because the primary server was down when the initial tunnel was initiated. The primary server is now up. Will the VPN 3002 Hardware Client restore a connection to the primary? If so, when?

Answer: The connection to the primary server will only be reestablished after a connection to the backup server is terminated.

Q33. What is the timeout period used when attempting to connect to the primary concentrator before a connection will be attempted to a secondary concentrator.

Answer: The timeout period is 8 seconds.

Q34. You tried to connect to your primary concentrator from your VPN 3002 Hardware Client but were unsuccessful.Your 3002 Hardware Client then attempted to connect to your backup concentrator without success. When will the VPN 3002 Hardware Client try again?

Answer: Once a VPN 3002 Hardware Client goes through its list of backup concentrators, it will not attempt any more connections until the Connect Now button on the Monitoring | System Status screen is clicked.

Q35. What screen is used to configure backup servers on the VPN 3002 Hardware Client?

Answer: The Configuration | System | Tunneling Protocols | IPSec screen is used to configure backup servers on the VPN 3002 Hardware Client.

Q36. You have three VPN 3015 Concentrators on the same network. Assuming default priority settings, which one will be elected to balance the load?

Answer: The first VPN 3015 Concentrator on the network will balance the load.

Q37. What factors are considered for VPN 3000 Concentrator load balancing with VPN 3002 Hardware Clients or remote access VPN Clients?

Answer: Total number of connections, the number of connections on each VPN concentrator, and the total number of connecting clients are the factors considered during load balancing.

Q38. How is load balancing enabled on the VPN 3002 Hardware Client?

Answer: The load-balancing feature is automatic on the VPN 3002 Hardware Client.

Q39. What types of clients may use the auto-update feature?

Answer: Only Windows-based VPN Clients and the VPN 3002 Hardware Client can use the auto-update feature.

Q40. When a software update is pending, during the connection process, the concentrator sends a message indicating the IP address of the TFTP server and the software version to be downloaded. What type (protocol) is this message?

Answer: This is an ISAKMP message.

Q41. What are two main differences between NAT and PAT?

Answer: The first difference between NAT and PAT is the NAT is a one-to-one translation while PAT is a one-to-many translation. The second major difference is that PAT translates ports (either TCP or UDP), as well as the source or destination address.

Q42. You are the administrator for a network using a single PAT address for connection to the Internet. You want to add two VPN 3002 Hardware Clients behind your PIX firewall. Which type of IPSec will you choose to use?

Answer: You must use IPSec over TCP/IP because IPSec over UDP will not work if you are using PAT and you attempt to have more than one VPN 3002 Hardware Client translated to the same ad.

Q43. What minimum version does the VPN Concentrator have to be running in order to use IPSec over TCP/IP? What version is required on the VPN 3002 Hardware Client?

Answer: Both the VPN Concentrator and the VPN 3002 Hardware Client must be running version 3.5 or later software.

Q44. What minimum version does the VPN Concentrator have to be running in order to use UDP NAT Transparent IPSec? What version is required on the VPN 3002 Hardware Client?

Answer: Both the VPN Concentrator and the VPN 3002 Hardware Client must be running version 3.0.3 or later software.

Q45. What is the default port for IPSec over UDP?

Answer: The default port is 10000.

Q46. You have an established tunnel between two sites. From the remote site you are able to ping the inside interface of the VPN Concentrator. However, you are unable to ping anything that lies beyond that point. What is wrong?

Answer: If you can ping the inside interface of the VPN Concentrator, but cannot get beyond that point, the issue is that the interior routing is incorrect. Make sure that the interior routers know that the remote LAN can be reached through the inside Interface of the VPN Concentrator.

Q47. You are planning to upgrade your VPN 3002 Hardware Client. You have just received a file named vpn3002-3.0.3.A-k9.bin. What version is this?

Answer: This is version 3.0.3.A. The area between the dashes is the version number.

Q48. You have tried to upgrade your VPN 3002 Hardware Client. However, the VPN 3002 Hardware Client keeps trying to upgrade without success. You know that you have connectivity. You can see in the logs that you have been downloading the file. What is the problem?

Answer: The problem is that you have entered an incorrect version number in the VPN Concentrator. If you can see that the file has been downloaded but it still tries to update the software, this is the only explanation.

Q49. Why will some applications not work with either NAT or PAT?

Answer: Some applications, especially very old DOS applications, were written before the OSI model was fully accepted. These applications embed the workstation address within the data instead of relying on TCP/IP to carry the IP address. These programs will fail using either NAT or PAT because the message will be sent back to the workstation address within the data, not the workstation address that was translated.

Q50. Why will PAT cause problems with some applications whereas NAT does not cause these problems?

Answer: Some applications expect to use specific ports. Because PAT changes the ports used, this can cause problems with this type of application.

Q51. Which debug class or classes should you enable in order to debug an auto-update?

Answer: The AUTOUPDATE class is all that is necessary for debugging an auto-update.

Q52. On the VPN Concentrator, what is the syntax used to specify the TFTP server and the filename used for updating the client software?

Answer: The syntax is tftp://{IP address of server}/{filename}.

Q53. You have configured auto-update to occur. Which device, the VPN Concentrator or the VPN 3002 Hardware Client, recognizes that the software must be updated?

Answer: The VPN 3002 Hardware Client recognizes that the software needs to be updated and starts the update process.

Q54. What client type(s) are permissible to be set on the VPN Concentrator for upgrading clients when using the VPN 3002 Hardware Client?

Answer: Because only the VPN 3002 Hardware Client is able to be upgraded, the only permissible value is vpn3002.

Q55. How is the VPN 3000 Concentrator configured to notify VPN 3002 Hardware Clients that a new software upgrade is available?

Answer: Using the GUI, go to Administration | Software Update | Clients
Choose the group
Select Upgrade Clients Now.

Q56. Your VPN 3002 Hardware Client attempts to auto-update. The system appears to “hang” and eventually times out on the download portion of the process. What are two likely causes?

Answer: The two most likely causes are that your VPN 3002 Hardware Client either cannot connect to the TFTP server or the Client does not have sufficient permissions on the server to download the software.

Q57. In Network Extension mode, how long will the VPN 3002 Hardware Client wait before attempting to connect to a backup server if a connection to the primary server fails?

Answer: In Network Extension mode, the VPN 3002 Hardware Client will wait 4 seconds before attempting to connect to a backup server.

Q58. Will a VPN 3002 Hardware Client connected to a backup server recognize that the primary server has added a new backup server?

Answer: No. The VPN 3002 Hardware Client will only recognize a new backup server if it is connected to the primary server.

Q59. Does the VPN 3002 Hardware Client send keepalives to other VPN 3002 Hardware Clients connected to the same primary or backup server?

Answer: No. VPN 3002 Hardware Clients have no knowledge of other VPN 3002 Hardware Clients unless their inside interfaces are on the same LAN. In this case, this is only used for load balancing.

Q60. Where are hold-down routes configured?

Answer: Hold-down routes are configured on the concentrator from the Configuration | System | IP Routing | Reverse Route Injection screen.
9-1

Q61. What protocols may be used with LAN-to-LAN Autodiscovery?

Answer: RIP is the only protocol currently available for use with LAN-to-LAN autodiscovery

Q62. When using IPSec over TCP, how are IKE and IPSec protocols handled in relation to NAT?

Answer: The entire packet is encapsulated within a new IP packet. This allows the new packet to have its source address changed by NAT and the source address and port changed by PAT without worrying about encryption or decryption of the original data.

Q63. You are planning on terminating your VPN 3002 Hardware Client’s VPN tunnel on a Microsoft Proxy Server. Should you use UDP NAT Transparent IPSec (IPSec over UDP) or IPSec over TCP?

Answer: You must use UDP NAT Transparent IPSec because IPSec over TCP will not work with a proxy server

About the author

Scott

Leave a Comment