Shutting down your VPN
A common method for medium-sized businesses and small ISPs to implement dial-in solutions is to have multiple Remote Access Concentrators answering the same phone number or configured in a "hunt group". With this configuration, when it's time to take one down for maintenance, the other one can continue answering calls so the service is never disrupted. However, how do you get the users off the box so you can work on it without simply disconnecting them and causing an outage?
Unfortunately, most access solutions don't support the ability to move a client's session transparently from one remote-access server to another, but with sufficient advance notice, you should be able to get around this.
Do this by configuring the remote access server to stop accepting new connections, but not disconnect the existing sessions. For instance, if your users' average call is 1 hour, then two or three hours before your scheduled maintenance window, configure your server to stop accepting new connections.
Although your vendor's implementation will likely vary, if you're using Microsoft's Windows 2000 or NT Server as a remote access solution, you can prevent new connections by pausing the service you're using from the Computer Management/Services dialogue. If your access server is a Cisco IOS box, using the VPDN features, you can accomplish the same thing by issuing the "vpdn softshut" command from the Router(config)# prompt.
If you have access to the phone system, you may also be able to do this by taking the server-in-question's number out of the hunt group.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.