09-28-2011 06:56 PM - edited 02-21-2020 05:37 PM
Hi,
Quick question to check my theory....
I have two KS's. I will be taking Secondary down for a few hours and I believe even though it has GM's registered, these hosts will not even notice Secondary down as the Primary sends re-key. Now if the GM fails to rekey....and tries to re-register with Secondary....during outage...it will just move to Primary...(as configured) correct?
Also.....does anyone know why re-key seq numbers don't always go i order -
Sep 28 12:45:54.086: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 18
Sep 28 14:32:19.259: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 19
Sep 28 16:18:44.420: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 20
Sep 28 18:05:09.586: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 21
Sep 28 19:51:34.750: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 23
Sep 28 21:37:59.915: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 24
Sep 28 23:24:25.080: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 25
Sep 29 01:08:15.173: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 1
Sep 29 01:10:50.245: %GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey for group XXXXX from address 192.168.220.4 with seq # 3
What happened to #22 & #3?
Thanks a bunch Milton...
Brad
09-30-2011 08:46 AM
Brad,
Now don't take my word on it, feel free to research more I'm a bit hazy on details for GET. Here's what I recall.
You do not have to worry about which device is sending new TEK key, because they should share same KEK among each other in KS COOP. So even if primary disappears the scondary will be able to send rekey.
My advice is to remove the primary once you receive ALL the ACKs for particular rekey so that secondary can take over with "clean" state.
Regarding sequences not being linear, I would check if some GMs have not missed ACKs.
show crypto gdoi ks member
Should contain this info.
Sequences reset back to zero on KEK rekey.
Out of curiosity what code are you on (GMs and KSes).
Marcin
10-02-2011 04:41 PM
Hi Marcin,
I am actually only taking down the Secondary so the Primary will remain up. I was just worried about anyone registered to the Secondary.
Code for GM's -
10-02-2011 04:46 PM
Sorry -
GM's -
c2800nm-adventerprisek9-mz.124-24.T.bin
c3845-adventerprisek9-mz.124-24.T.bin
c7301-advsecurityk9-mz.124-24.T.bin
KS's -
c3845-adventerprisek9-mz.124-15.T7.bin
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide