Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1889
Views
0
Helpful
0
Replies

GDOI GM with Unicast KS rekey failure

u2637ps
Level 1
Level 1

‎05-13-2011 07:21 PM

Hi

Has anyone seen this error before and can explain it.

The KS is running 15.1

The GM is running 12.4(15)T10 on a 1800 platform and for various reasons upgrade of IOS isn't possible

The KS is behind a load balancer and the group is set up at this time on one of the KS in the VIP to eliminate the Load balancer

rypto gdoi group TEST
identity number 3800
server local
  rekey lifetime seconds 5400
  rekey retransmit 30 number 2
  rekey authentication mypubkey rsa XXXXX

  rekey transport unicast
  sa ipsec 1
   profile atm-profile
   match address ipv4 service-policy-test
   replay time window-size 100
  address ipv4 10.32.4.10

The rekey lifetime is set low to test that when the isakmp times out that we don't lose connectivity which have seen in other tests with other code versions.

It all looks good except that the rekeys fail more times than they suceed although they do suceed but more time than not they fail and force a re registration


.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0): SA TEK spi is 0x6A60ECF0  , current KD TEK spi is 0x6A60ECF0

.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0):                   lifetime is 3600 seconds
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0):TEK Integrity Key 20 bytes
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0):Completed KeyPkt Processing
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0):processing GDOI Key Packet, message_id  -2099293136
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0): Processing KEK KD
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0):Completed KeyPkt Processing
.May 14 09:43:08.685 aest: GDOI:INFRA:(0:2164:HW:0):Unicast Rekey from KS 1

.May 14 09:43:08.689 aest: GDOI:INFRA:(ATM-TEST:0:2164:HW:0):GDOI REKEY ACK sent successfully by GM from
172.28.223.253 to 10.32.4.10 for seq # 1 using spi 5E57F9B6F9C6D222
.May 14 09:43:08.689 aest: %GDOI-5-GM_RECV_REKEY: Received Rekey for group TEST from 10.32.4.10 to 172.28.223.253 with seq # 1

........ Extra lines removed lines like

.May 14 09:43:08.721 aest: GDOI:INFRA:(ATM-TEST:0:0:N/A:0):crypto exact match ace number : 1

.May 14 09:43:08.721 aest: GDOI:INFRA:(ATM-TEST:0:0:N/A:0):crypto exact match ace number : 1


.May 14 09:43:08.689 aest: GDOI:INFRA:(ATM-TEST:0:2164:HW:0): using SPI 5E57F9B6F9C6D222
.May 14 09:43:08.733 aest: GDOI:INFRA:(ATM-TEST:0:0:N/A:0):crypto exact match ace number : 23

.May 14 09:43:08.733 aest: GDOI:GM:(0:0:N/A:0):Unicast Rekey installed 23 new ipsec SA(s) for group TEST.

.May 14 09:43:08.733 aest: GDOI:GM:(ATM-TEST:0:0:N/A:0):min_tek_life_time is -1. Re-register now.

On the KS

show crypto gdoi ks member 172.28.223.253
Group Memeber not Found

Number of rekeys sent for group TEST : 60

Group Member ID    : 172.28.223.253
Group ID          : 3800
Group Name        : ATM-TEST
Key Server ID     : 10.32.4.10
Rekeys sent       : 60
Rekeys retries    : 4
Rekey Acks Rcvd   : 59
Rekey Acks missed : 0

Sent seq num : 2       3       1       2
Rcvd seq num :  2       3       1       2

Any ideas?

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents