Virtual Private Network: High Availability & Load Balancing

This page describes features of our VPN that may be of interest to LAN Administrators and Service Desk staff.

There are two High Availability (HA) mechanisms implemented on the VPN head-end infrastructure. The HA mechanism used will depend upon what type of tunnel is requested by the client.

IPsec & AnyConnect Clients

  • The cluster lead is elected by the cluster members.
  • Clients use a referral mechanism where the initial connection is to a virtual address (tc-vpn-1.vpn.umn.edu:160.94.217.90) that is controlled by a cluster lead.
  • The cluster lead determines which cluster member has the lowest number of attached clients. The cluster lead refers the client to the cluster member.
  • The client sets up a tunnel with the cluster member.

L2TP over IPsec Clients

  • L2TP connections cannot be load balanced directly.
  • L2TP clients will be configured to use a DNS-RoundRobin facility.
  • The L2TP client will resolve the service name nct.vpn.umn.edu (native client termination) into each of the outside IP addresses associated with the cluster members.
  • The L2TP client will connect to the first cluster member in the list.
  • In the case that the cluster member is down, the client will connect to the next on the list.