Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1253
Views
0
Helpful
3
Replies

GetVPN KS Theory

bradleyordner
Level 3
Level 3

‎09-28-2011 06:56 PM - edited ‎02-21-2020 05:37 PM

Hi,

Quick question to check my theory....

I have two KS's. I will be taking Secondary down for a few hours and I believe even though it has GM's registered, these hosts will not even notice Secondary down as the Primary sends re-key. Now if the GM fails to rekey....and tries to re-register with Secondary....during outage...it will just move to Primary...(as configured) correct?

Also.....does anyone know why re-key seq numbers don't always go i order -

Sep 28 12:45:54.086: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 18

Sep 28 14:32:19.259: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 19

Sep 28 16:18:44.420: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 20

Sep 28 18:05:09.586: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 21

Sep 28 19:51:34.750: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 23

Sep 28 21:37:59.915: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 24

Sep 28 23:24:25.080: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 25

Sep 29 01:08:15.173: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 1

Sep 29 01:10:50.245: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 3

What happened to #22 & #3?

Thanks a bunch Milton...

Brad

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎09-30-2011 08:46 AM

Brad,

Now don't take my word on it, feel free to research more I'm a bit hazy on details for GET. Here's what I recall.

You do not have to worry about which device is sending new TEK key, because they should share same KEK among each other in KS COOP. So even if primary disappears the scondary will be able to send rekey.

My advice is to remove the primary once you receive ALL the ACKs for particular rekey so that secondary can take over with "clean" state.

Regarding sequences not being linear, I would check if some GMs have not missed ACKs.

show crypto gdoi ks member

Should contain this info.

Sequences reset back to zero on KEK rekey.

Out of curiosity what code are you on  (GMs and KSes).

Marcin

0 Helpful

bradleyordner
Level 3
Level 3
In response to Marcin Latosiewicz

‎10-02-2011 04:41 PM

Hi Marcin,

I am actually only taking down the Secondary so the Primary will remain up. I was just worried about anyone registered to the Secondary.

Code for GM's -

0 Helpful

bradleyordner
Level 3
Level 3
In response to bradleyordner

‎10-02-2011 04:46 PM

Sorry -

GM's -

c2800nm-adventerprisek9-mz.124-24.T.bin

c3845-adventerprisek9-mz.124-24.T.bin

c7301-advsecurityk9-mz.124-24.T.bin

KS's -

c3845-adventerprisek9-mz.124-15.T7.bin

0 Helpful
Customers Also Viewed These Support Documents