05-06-2008 05:48 PM - edited 02-21-2020 03:42 PM
I am just starting to configure GETVPN in the lab before puting it in production and I am having a lot of issues. Hope I can get some help here :
1) "sh crypto iskmp sa" display the tunnels for about 10 minute and after that we don't any ipsec tunnel. Put sniffer and still seeing that the traffic is encrypted ...
2) When trying a multicast application "whiteboard, got it from Internet", it work for a minute and after that stop working .....
I am just questioning my self now if it is the right thing to go with GETVPN instead of DMVPN.....
Opened a TAC and still they haven"t resolved these issues.
Thanks
05-07-2008 05:53 AM
well acording to the guy from TAC GETVPN doesnt support NAT, i didnt see that on the documentation so im sticking with dmvpn for now
05-10-2008 06:30 AM
05-27-2010 10:53 AM
to question #1:
sh cry isa sa - shows only the SAs for ike phase1, not for traffic encryption
sh cry ips sa - will show u what traffic is being encrypted - that's why with sniffer you still see traffic encrypted.
see: getvpn design & impl'n guide section; 5.3.2 verifying gm operation
05-27-2010 12:01 PM
Section 3.6.2 of the GETVPN design guide covers the reasoning behind shortened ISAKMP lifetime value on the GM.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide