05-13-2011 07:21 PM
Hi
Has anyone seen this error before and can explain it.
The KS is running 15.1
The GM is running 12.4(15)T10 on a 1800 platform and for various reasons upgrade of IOS isn't possible
The KS is behind a load balancer and the group is set up at this time on one of the KS in the VIP to eliminate the Load balancer
rypto gdoi group TEST
identity number 3800
server local
rekey lifetime seconds 5400
rekey retransmit 30 number 2
rekey authentication mypubkey rsa XXXXX
rekey transport unicast
sa ipsec 1
profile atm-profile
match address ipv4 service-policy-test
replay time window-size 100
address ipv4 10.32.4.10
The rekey lifetime is set low to test that when the isakmp times out that we don't lose connectivity which have seen in other tests with other code versions.
It all looks good except that the rekeys fail more times than they suceed although they do suceed but more time than not they fail and force a re registration
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0): SA TEK spi is 0x6A60ECF0 , current KD TEK spi is 0x6A60ECF0
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0): lifetime is 3600 seconds
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0):TEK Integrity Key 20 bytes
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0):Completed KeyPkt Processing
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0):processing GDOI Key Packet, message_id -2099293136
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0): Processing KEK KD
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0):Completed KeyPkt Processing
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0):Unicast Rekey from KS 1
.May 14 09:43:08.689 aest: GDOI:INFRA:(ATM-TEST:0:2164:HW:0):GDOI REKEY ACK sent successfully by GM from
172.28.223.253 to 10.32.4.10 for seq # 1 using spi 5E57F9B6F9C6D222
.May 14 09:43:08.689 aest: %GDOI-5-GM_RECV_REKEY: Received Rekey for group TEST from 10.32.4.10 to 172.28.223.253 with seq # 1
........ Extra lines removed lines like
.May 14 09:43:08.721 aest: GDOI:INFRA:(ATM-TEST:0:0:N/A:0):crypto exact match ace number : 1
.May 14 09:43:08.721 aest: GDOI:INFRA:(ATM-TEST:0:0:N/A:0):crypto exact match ace number : 1
.May 14 09:43:08.689 aest: GDOI:INFRA:(ATM-TEST:0:2164:HW:0): using SPI 5E57F9B6F9C6D222
.May 14 09:43:08.733 aest: GDOI:INFRA:(ATM-TEST:0:0:N/A:0):crypto exact match ace number : 23
.May 14 09:43:08.733 aest: GDOI:GM:(0:0:N/A:0):Unicast Rekey installed 23 new ipsec SA(s) for group TEST.
.May 14 09:43:08.733 aest: GDOI:GM:(ATM-TEST:0:0:N/A:0):min_tek_life_time is -1. Re-register now.
On the KS
show crypto gdoi ks member 172.28.223.253
Group Memeber not Found
Number of rekeys sent for group TEST : 60
Group Member ID : 172.28.223.253
Group ID : 3800
Group Name : ATM-TEST
Key Server ID : 10.32.4.10
Rekeys sent : 60
Rekeys retries : 4
Rekey Acks Rcvd : 59
Rekey Acks missed : 0
Sent seq num : 2 3 1 2
Rcvd seq num : 2 3 1 2
Any ideas?