GetVPN Rekeys

Unanswered Question
Dec 16th, 2009


We have recently change our TBAR timer to allow for latency on the WAN. We have also made some big routing changes to our network.

I noticed that out GETVPN Kek Timer is set to the default as well as our TEK Policy timer.

I was wondering is this looks weird......

GM Reregisters in        : 2431 secs
    Rekey Received(hh:mm:ss) : 2w0d

The rekey used to count down from 24 hours, although I have noticed it is saying two weeks now.

Within the logs I see a rekey -

%CRYPTO-5-GM_REGSTER: Start registration to KS for group getvpn using address
: %GDOI-5-GM_REGS_COMPL: Registration to KS complete for group getvpn using address

But under show crypto gdoi -

    Rekeys received
         Cumulative          : 0
         After registration  : 0

Was wondering if this is a type of bug that someone has come across?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dsandre-toh Thu, 05/27/2010 - 10:44

hi, your isa lifetime should be 1200 on the GMs but defaulted on the KS (86400) - the GM value will take precedence.  the tek life on KS should be 7200sec and the kek should be default of 86400.


This Discussion

Related Content