09-19-2007 10:28 AM
Hi All,
We are testing the GET VPN scenario over the MPLS infrastructure by using 2 key servers. In the one of the key server, we defined the local priority greater than the other key server. The key servers among themselves choosed the higher priority defined key server as the primary.
In the group member configuration, we defined the key server addresses in the order of primary and secondary.
When we unplug the primary key server and all the members of that group registers with the secondary key server and when the primary key server came back, the member registration shows with the secondary key server. Is there a way like in HSRP to preempt to the primary key server.
Second thing is, when we unplug the secondary key server, the members who were registered to secondary key server still shows registration with that key server irrespective that key server goes down. Is that a normal thing ?
Kindly assist us.
Thanking You
Regards
Anantha Subramanian Natarajan
Solved! Go to Solution.
09-24-2007 08:09 AM
Anantha,
The GM shows the 'Active' KS from the Group Server List as the KS that the GM LAST registered with. It doesn't mean the GM will re-register with this KS first should it fail to get a rekey. The GM always starts at the top of it's ordered list.
Scott Wainner
09-24-2007 08:05 AM
Anantha,
Two components here: KS priorities and GM preferences. They are independent.
KS uses priorities to determine which KS will be come primary. When a KS boots, it assumes the secondary role and never preempts the current primary KS. If the KS were partitioned, then the priority comes into play.
GM use an ordered list to register to the one or more of the KS. If the GM needs to register (theoretically, the GM should never re-register), it starts at the top of the list and works it's way down the list of potential KS. This allows you to distribute the registration of sets of GM across multiple KS. This is only important when you exceed the registration rate of a KS. The maximum registration rate occurs when all or a large set of GM failed to get a rekey message and they all try to re-register at roughly the same time. This process can be distributed across multiple KS to increase scalability of the system.
Scott Wainner
09-24-2007 08:09 AM
Anantha,
The GM shows the 'Active' KS from the Group Server List as the KS that the GM LAST registered with. It doesn't mean the GM will re-register with this KS first should it fail to get a rekey. The GM always starts at the top of it's ordered list.
Scott Wainner
09-24-2007 12:43 PM
Hi Scott,
ohh,,I inferred the same latter and now its good to get confirmed.
Thankyou
Regards
Anantha Subramanian Natarajan
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide