05-18-2010 12:29 PM - edited 02-21-2020 04:39 PM
Doing some testing before live implementation, have a small GETVPN lab network, single KS, 5 GMs, all at 12.4(15)T10. All encryption,routing,etc. is working fine except for something odd that I noticed.
From Key server;
C2851_Key_Srvr#sh cry gd ks me
Group Member Information :
Number of rekeys sent for group GETVPN : 170
Group Member ID : 172.16.1.1
Group ID : 1234
Group Name : GETVPN
Key Server ID : 172.16.0.1
Rekeys sent : 170
Rekeys retries : 0
Rekey Acks Rcvd : 170
Rekey Acks missed : 0
Sent seq num : 2 1 0 0
Rcvd seq num : 2 1 0 0
......
......
From Group Member:
*May 17 09:34:43.574: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 1
*May 17 09:55:33.701: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 2
*May 17 11:20:39.221: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 1
*May 17 11:55:34.433: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 2
*May 17 13:06:34.865: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 1
*May 17 13:55:35.164: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 2
.... the sent & rcvd sequence numbers never go higher than 2. In fact, they repeat the pattern: 1,2,1,2,1,2.....forever.
This is odd behavior as the Design & Implementation Guide, section: 5.3.3.2 states:
.......
.......
If all GMs in the GET VPN group reply back to a unicast rekey, rekey syslog messages are displayed with consecutive incrementing sequence numbers. <<<<<<<<<<<<<<< !!!!!!
.......
.......
If syslog does not show the rekey sequence numbers incrementing properly (last sequence number + 1), this indicates that the primary KS is sending out some rekey retransmissions because ACKs from some GMs is not being received.
This implies, seq #s should increase 1,2,3,4,5........
Anyone shed any light on this issue? Is it a real problem or no?
much appreciated !!
DJS
Solved! Go to Solution.
05-25-2010 03:15 PM
In the "sh cry gd ks me" output you sent, it looks like the KS sent 170 rekey messages and received all 170 rekey ACKS. Based on this, nothing looks awry. You could be seeing the repetition because a KEK rekey resets the sequence number to 1. A KEK rekey is when a new KEK is generated and possible new TEKS depending on their lifetime. All consecutive TEK rekeys increment from there. Examine your lifetimes for KEK and TEK, but based on the syslog timestamps Im guessing this is probably what the explanation is.
Just to be on the safe side, I would keep an eye out on your GMs in your test environment and monitor to see one or more is trying to re-register when the IPSec SAs are about to expire (about 60 seconds before) as this would indicate a problem with not receiving the rekeys.
05-25-2010 03:15 PM
In the "sh cry gd ks me" output you sent, it looks like the KS sent 170 rekey messages and received all 170 rekey ACKS. Based on this, nothing looks awry. You could be seeing the repetition because a KEK rekey resets the sequence number to 1. A KEK rekey is when a new KEK is generated and possible new TEKS depending on their lifetime. All consecutive TEK rekeys increment from there. Examine your lifetimes for KEK and TEK, but based on the syslog timestamps Im guessing this is probably what the explanation is.
Just to be on the safe side, I would keep an eye out on your GMs in your test environment and monitor to see one or more is trying to re-register when the IPSec SAs are about to expire (about 60 seconds before) as this would indicate a problem with not receiving the rekeys.
05-25-2010 04:11 PM
P.S. If I have answered your question please mark the post as resolved and rate the responses. This helps us more easily identify which questions remain unanswered and let us know how we are doing. Thanks in advance!
05-26-2010 07:42 AM
thanks for the suggestion........will review the timer values, change them & see how they impact the sequence numbers.
05-27-2010 10:36 AM
that was exactly the issue..........lifetimes for TEK & KEK were the same, they should not be........I changed tek=7200, kek=86400..........sequence numbers are incrementing as they should be !!! thanks again for your help. !!!
05-27-2010 10:42 AM
If I have answered your question please mark the post as resolved and rate the responses. This helps us more easily identify which questions remain unanswered and let us know how we are doing. Thanks in advance!
05-28-2010 10:48 AM
Could I see a copy of your configurations. I want to jump into GetVPN and nothing will help my understanding more than working configurations, thanks.
05-28-2010 01:49 PM
05-28-2010 01:53 PM
Thanks much. Sorry the rating should have been five, I clicked too early.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide