GET VPN ISSUE

harvinder-s · ‎01-15-2011

HI ALL

I WOULD BE REALLY THANKFUL IF ANY ONE CAN SOLVE MY QUERRY

I HAVE CONFIGURED GET VPN USING COOP ...I HAVE 2 KEY SERVERS ONE PRIMARY AND ONE SECONDRY ...BOTH KEY SERVERS ARE WORKING PROPERLY

THE SECONDARY KEY SERVER HAS THE INFO ABOUT GM'S

MY QUESTION IS WHEN THE PRIMARY SERVER IS ACTIVE DO GMS FORM ISAKMP SA WITH SECONDARY KS

Lei Tian · ‎01-15-2011

Hi,

Yes. GM will form isakmp sa with the first configured server.

KS Redundancy on GM: More than one KS can be configured on a GM. From the group member perspective, the group member tries to register with the first key server listed in the configuration. If the first key server listed is not reachable, the group member then tries to reach the next key server listed in its configuration. The group member keeps trying this way until it can successfully register with one of the key servers. However, only the primary key server will send further rekeys to the entire network.

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/deployment_guide_c07_554713.html

HTH,

Lei Tian

harvinder-s · ‎01-15-2011

THANKS LEI

THATS WAT I WANTED TO CONFORM ... IN MY CONFIG THE GM FORMS ISAKMP WITH FIRST CONFIG KS...

THAT MEANS THE GM CAN HAVE ONLY ISAKMP SA WITH THE FIRST CONFIGURED KS...

CORRECT ME IF I AM WRONG

REGARDS

HARVINDER

Lei Tian · ‎01-15-2011

Hi Harvinder,

Yes, that is correct.

If you have

server address ipv4 primary_KS
server address ipv4 backup_KS

configured on all GMs, then they will use primary KS, and only use backup KS when the primary KS is failed.

Regards,

Lei Tian

harvinder-s · ‎01-15-2011

Thanks Lei

regards

Harvinder