Solved: GET VPN - Error on Key Server

ugot2nome · ‎09-01-2011

Hi:
When I apply a GDOI Crypto map to an outgoing interface on the KEY SERVER, I see the following error:

*Sep 1 19:46:07.707: %SYS-3-MGDTIMER: Uninitialized timer, set_exptime, timer = 493007B8. -Process= "Exec", ipl= 0, pid= 202, -Traceback= 0x43220180z 0x43E49EA0z 0x43D8A89Cz 0x43DAE5DCz 0x43D907BCz 0x419ACEC4z 0x419D2F4Cz 0x43215824z 0x43215808z

This causes the crypto isakmp phase I to come up. There is also Phase II IPsec SA on the Group Member and is encapsulating traffic. However, on the Key Server, I don't see any Phase II IPSec SA's defined.

I have verified the same behavior on two different IOS routers acting as a Key Server.

2801>sh ver

Cisco IOS Software, 2801 Software (C2801-ADVSECURITYK9-M), Version 12.4(24)T4, RELEASE SOFTWARE (fc2)

2811>sh ver

Cisco IOS Software, 2800 Software (C2800NM-ADVIPSERVICESK9-M), Version 12.4(24)T4, RELEASE SOFTWARE (fc2)

I have generated the RSA key pairs, defined the mirrored ACL, static routes, isakmp, ipsec profile (including transform set) etc. correctly. The configs for the GDOI group is as follows:

crypto gdoi group GDOI

identity number 1

server local

rekey authentication mypubkey rsa GDOI

rekey transport unicast

address ipv4 1.1.1.1 (WAN interface IP)

sa ipsec 10

match address ipv4 GDOI

profile GDOI

!

crypto map GDOI 10 gdoi

set group GDOI

!

This was working about a week ago and has just started happening. This is a non-production box. I am perplexed and looking for someone with answers. I didn't see any known issues on CISCO's Tool BugKit.

Thanks,

Brian

yaplej · ‎09-01-2011

Well a KS cannot be a GM to itself so your configuring it incorrectly. You said that it was working but I dont see how it could have been. A KS should be a stand alone router doing nothing but acting as the KS for the GET GMs.

View solution in original post

yaplej · ‎09-01-2011

Well a KS cannot be a GM to itself so your configuring it incorrectly. You said that it was working but I dont see how it could have been. A KS should be a stand alone router doing nothing but acting as the KS for the GET GMs.

ugot2nome · ‎09-02-2011

The configuration posted is for the Key Server only. I am NOT using the KS as the GM. The group member has its own GDOI configuration and is able to register to the KS. I was trying to convey the point that the same behavior is seen when I use a different model of ISR (2811 vs 2801).

Mohammed Hamzeh · ‎09-02-2011

Hi Brian

this looks like a software bug, you should contact TAC, i did a quick search on the trac back and nothing came out, so im thinking this is a new issue your facing

cheers

ugot2nome · ‎09-02-2011

Thanks Mohammed. Since the routers have no Service Contact, what are the odds that CISCO will look at this. Will the needs of the one, outweigh the needs of the few or the many.

ugot2nome · ‎09-02-2011

Hi Yaplej: You are correct. I put some thought again into what I was doing and it dawned up me that I was indeed configuring the KS as a GM also and thus the error. My intent was to just test the registration between the GM and the KS and it worked as desired.