Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1015
Views
0
Helpful
1
Replies

GETVPN - COOP KS Issue

kelvindam
Level 1
Level 1

‎01-04-2010 05:31 AM - edited ‎02-21-2020 04:26 PM

Hi all,

Im trying a GETVPN/DMVPN setup with two KeyServers and two DMVPN Hubs.

(And a few spokes for testing).

Having the setup all up and running it works fine. The two GET-Keyservers are configured as per. Cisco guide,

and they are setup with a primary KS and a coop secondary.

The problem is, that when I power of Keyserver 1 (primary) to test an power outage, Keyserver 2 takes on the role

as the new key-server, but new spokes that are booted up, seems to be getting wrong IPSEC IDs.

I get this error on all routers that starts participating as GMs :

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<ip of spoke>, prot=50, spi=0x889642C4(2291548868), srcaddr=<IP of hub>

So it looks like the SPI is different from routers having been members of Keyserver1, and for routers that are members of Keyserver2.

I have checked the two Keyserver routers when they are both up and alive, and all seems to be ok.

Software is 12.4(11)T

Any ideas?

/KD

Labels:
0 Helpful
1 Reply 1

kelvindam
Level 1
Level 1

‎01-05-2010 10:03 AM

Problem solved.

I upgraded my routers to 12.4(24)T2 and that solved the issue by making all SPI's identical.

/KD

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents