Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1010
Views
0
Helpful
1
Replies

GETVPN Issue

sherrikhan
Level 1
Level 1

‎07-21-2011 02:32 AM - edited ‎02-21-2020 05:27 PM

Guys we have two KS one in primary data centre and second in DR  datacentre.......I have checked the KS COOP as well and it looks  perfect.....i havent done any priority but still the DR shows secondart  probably when i was doing in GM and KS (secondary) it takes top to  bottom approach....i have few question as under

when i do

sh crypto isakmp sa on GM

  1. It only shows me primary KS (it it normal or i am suppose to see both primary and secondary KS)
  2. Secondly  when i turned the primart KS off (to see failover) i was still able to  see th eprimary when i was doing sh crypto isakmp sa and

         sh crypto gdoi (was still showing me registred with primary (although  the server was down and i could even ping it from GM)

it was showing me

Group Name               : GDOI-GROUP1

    Group Identity           : 3552

    Rekeys received          : 1

    IPSec SA Direction       : Both

     Group Server list       : 172.1.33.22

                                      172.1.34.22

    Group member             : 172.1.34.22   vrf: None

       Registration status   : Registered

       Registered with       : 172.1.33.22

       Re-registers in       : 1266 sec

       Succeeded registration: 1

       Attempted registration: 1

       Last rekey from       : 172.1.33.22

       Last rekey seq num    : 24

       Unicast rekey received: 1

       Rekey ACKs sent       : 1

       Rekey Rcvd(hh:mm:ss)  : 00:19:34

    Rekeys cumulative

       Total received        : 1

       After latest register : 1

       Rekey Acks sents      : 1

ACL Downloaded From KS 172.1.33.22

it  says that re register will be in 1266 sec which is abt 20 min....shd i  wait till 20 min or it shd fail automatically and show the  secondary....i m very much confused.........secondly what is priority used for ??

Labels:
0 Helpful
1 Reply 1

wzhang
Cisco Employee
Cisco Employee

‎07-21-2011 04:14 PM

Hi,

1. This is expected. The GM will only attempt to register with the secondary KS if the primary KS is not available.

2. This is also expected. The GM won't detect the primary KS failure until the next re-registration attempt. When that attempt fails (at least 40 seconds after the start of the attempt), it will then try to register with the secondary KS.

3. The priority under the redundancy configuration is used to help with COOP election, the KS with the highest priority will become the primary after election. If you don't have priority configured, then we use other things such as ip address as tie breakers.

Hope this helps.

Thanks,

Wen

0 Helpful
Customers Also Viewed These Support Documents