07-08-2013 03:39 AM - edited 02-21-2020 07:00 PM
Hello Cisco Support Community Teams,
I am planning to implement GETVPN for my Client. i have several issues regarding the GETVPN failover behavior.
I have test the configuration on GNS3 using C3725 Router, and also tested on real C2800Series router, and the behavior result is the same.
1. I have 2 KS on the topology, is the GM only registered with one KS?
2. When primary KS down, the GM didn't change to Secondary KS, so i need to clear crypto gdoi on the GM, is there any configuration needed to make the GM auto change to others active KS?
3. i check on the GM that i got encap and decrypt, but never get the decaps and decrypt?
Please find the attachment for the topolgy and configuration example.
Thank you and have a nice day.
Sincerely Yours
Rudyanto
Solved! Go to Solution.
07-08-2013 04:40 AM
Have a look at the DIG it will answer most of your questions.
Section 1.2.7
1) Yes.
2) Check the DIG, there should not be a need to register straight away, "secondary KS" should become new primary.
3) Are you saying it's not reciving ecnrypted traffic or that it does not increment the counter? I would not trust GNS3 too much. If the problem is same on 15.1(4)M on 2800, check it with the folks in TAC.
07-08-2013 04:40 AM
Have a look at the DIG it will answer most of your questions.
Section 1.2.7
1) Yes.
2) Check the DIG, there should not be a need to register straight away, "secondary KS" should become new primary.
3) Are you saying it's not reciving ecnrypted traffic or that it does not increment the counter? I would not trust GNS3 too much. If the problem is same on 15.1(4)M on 2800, check it with the folks in TAC.
07-08-2013 05:02 AM
Hi Marcin,
Thank you for your answers.
on the point 3, i got the show crypto ipsec :
remote ident (addr/mask/prot/port): (20.20.20.0/255.255.255.0/0/0)
current_peer port 848
PERMIT, flags={origin_is_acl,}
#pkts encaps: 4, #pkts encrypt: 3, #pkts digest: 0
#pkts decaps: 0, #pkts decrypt: 0, #pkts verify: 0
i cannot see the decaps and decrypt counting on the ipsec, i am also suspect the limit of gns3. i will try later on the real network.
and last question:
for the best practice, do i need to configure specific traffic access-list for the data? from my configuration, i am using permit ip any any.
ip access-list extended GETVPN-POLICY-ACL
{some access-list configuration remove}
permit ip any any
example i have traffic from branch data ip 10.10.10.0/24 to datacenter 20.20.20.0/24
ip access-list extended GETVPN-POLICY-ACL
{some access-list configuration, and change the any any to spesific}
permit ip 10.10.10.0 0.0.0.255 20.20.20.0 0.0.0.255
permit ip 20.20.20.0 0.0.0.255 10.10.10.0 0.0.0.255
Thank you
07-08-2013 05:18 AM
Aggregate policy, i.e. as short as possible is the best one. For most setups permit ip any any.
From DIG, section 1.2.3
Asymmetric policies lead to a geometric expansion in the number of ACL entries. An aggregate
policy that serves the most GMs is ideal. The most complete aggregate policy is permit ip any any.
This policy encrypts all traffic leaving the GM crypto interface. Therefore, exceptions must be made
(that is, deny entries) to exclude encryption of control plane traffic and management plane
necessary to bootstrap the GM
07-08-2013 05:51 AM
Hello Marcin,
Thank you very much for your help and explanation. I really appreciate it
Sincerely Yours,
Rudyanto
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide