Solved: GET VPN question:Key Server and latency consideration

news2010a · ‎10-28-2010

Hi, imagine that for redundancy reasons, I want to setup a Key Server in California and another Key Server in Hong Kong.

Is there any latency issue to be aware when deploying Key Servers far away from each other?

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/deployment_guide_c07_554713.html

Collin Clark · ‎10-29-2010

I don't think so. The 2 key servers have a secure tunnel between each other so if there is a problem you should see it with that tunnel. The key servers don't provide any latency sensitive information that I have seen.

View solution in original post

Collin Clark · ‎10-29-2010

I don't think so. The 2 key servers have a secure tunnel between each other so if there is a problem you should see it with that tunnel. The key servers don't provide any latency sensitive information that I have seen.

wzhang · ‎10-29-2010

Hi,

Minor correction here, with GETVPN the pseudo-time passed between the Key Servers is time sensitive, since it doesn't use a wall clock (eg., ntp) as a time reference. The pseudo-time will be exchanged during the KS election, and will later be used for both data and control plane time-based anti-replay. For the most part, the inaccuracy in pseudo-time due to latency is negligible (1 sec is a loooong time in networking ), so you shouldn't have to worry about it with any reasonable anti-replay threshold configured.

Thanks,

Wen