Hello I'm working on a GetVPN migration plan. Currently there is a fully functional GDOI cloud, and two new-generation ISR4321/K9 key servers that will take over in the near future. A handful of branches have been configured to register with both pairs of key servers, and all of them successfully fetch both sets of policies. The thing is, policy changes to the new key servers won't take effect until the next rekey from the branches. And if I attempt to force one, I get "%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from <Primary KS IPv4> failed its sanity check or is malformed" at the branches. Newer IOS releases introduced a couple of twists to the policy push, and I believe I have tried them all: Exiting to the privileged mode #, issuing 'crypto gdoi ks rekey', and 'crypto gdoi ks rekey replace-now', just to name a few.
Key_Server#crypto gdoi ks rekey replace-now
WARNING for group getvpn-V2: some devices may not support policy-replace and can cause network disruption. Please check 'show crypto gdoi feature' for compatibility or use 'crypto gdoi ks rekey' to send a compatible rekey message. Are you sure you want to proceed with 'crypto gdoi ks rekey replace-now' ? [yes/no]: yes
% There has not been a GDOI policy change for group getvpn-V2, a rekey is not needed
Are you sure you want to proceed? [yes/no]: yes
%GDOI-5-KS_SEND_UNICAST_REKEY: Sending Unicast Rekey with policy-replace now for group getvpn-V2 from address <Primary KS IPv4> with seq # 2 spi: 0x8F797D493D13DB51A3A13A1023DD991F
Cisco IOS XE Software, Version 03.16.05.S - Extended Support Release Cisco IOS Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)S5, RELEASE SOFTWARE (fc2)
Branch#%CRYPTO-4-IKMP_BAD_MESSAGE: IKE message from <Primary KS IPv4> failed its sanity check or is malformed