cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
849
Views
5
Helpful
4
Replies
Highlighted
Beginner

GETVPN - Change KS in the GM

I have two KS in the GETVPN topology. I just noticed some GM registered with the secondary KS.


Can I change them from backup KS to primary without network disconnection?
Do I only have to change the configuration in the GM or I have to change the configuration for the GM and KS?

 

Thanks, much appreciated !!

 

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Hi,

 

Few GM's registering to secondary can only happen when either primary KS is not reachable or on the specific GM, which KS is configured first.

 

So first verify what was the reason for GM registering to secondary KS ? 

 

Changing from backup KS to primary KS, will cause a network disruption specific to that GM, as it will re-register itself.

The configuration change is only needed on GM, where you change the order of KS.

 

Let me know if you have any further query.

 

Regards,

Pulkit

View solution in original post

4 REPLIES 4
Highlighted
Cisco Employee

Hi,

 

Few GM's registering to secondary can only happen when either primary KS is not reachable or on the specific GM, which KS is configured first.

 

So first verify what was the reason for GM registering to secondary KS ? 

 

Changing from backup KS to primary KS, will cause a network disruption specific to that GM, as it will re-register itself.

The configuration change is only needed on GM, where you change the order of KS.

 

Let me know if you have any further query.

 

Regards,

Pulkit

View solution in original post

Highlighted

Thanks to clarify this as I have a similar sceanrio.

A GETVPN Deployment where I need to re register multiple GMs(Not all of them ) to a secondary KS instead of the primary KS.

I have changed the order of Key servers on the GM configuration ,  to force re registration , can I use clear crypto GDOI on that GM ? Will this affect only this GM traffic?

I have noticed this warning when issuing the command on the GM side ,that's why I'm confused about it :

 

GM2#clear crypto gdoi
% The Key Server and Group Member will destroy created and downloaded policies.
% All Group Members are required to re-register.

Are you sure you want to proceed ? [yes/no]

 

Does this command really affects other GMs ? I'm using it on a specific GM not on the KS.

Thanks in advance.

Highlighted

Hello,

This is the command I ran in the GM:

clear crypto gdoi group "Your froup name"

Thanks,
Highlighted

You can definitely use "clear crypto gdoi" on the GM and it will only affect that GM.
In case you have multiple groups configured on the GM, you can even run " clear crypto gdoi group <name> ".
Here is the command reference for this command :
https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/security/a1/sec-a1-cr-book/sec-cr-c1.html#wp3348633505

Regards,
Pulkit Saxena