GetVPN Rekeys

Unanswered Question
Dec 16th, 2009
User Badges:


We have recently change our TBAR timer to allow for latency on the WAN. We have also made some big routing changes to our network.

I noticed that out GETVPN Kek Timer is set to the default as well as our TEK Policy timer.

I was wondering is this looks weird......

GM Reregisters in        : 2431 secs
    Rekey Received(hh:mm:ss) : 2w0d

The rekey used to count down from 24 hours, although I have noticed it is saying two weeks now.

Within the logs I see a rekey -

%CRYPTO-5-GM_REGSTER: Start registration to KS for group getvpn using address
: %GDOI-5-GM_REGS_COMPL: Registration to KS complete for group getvpn using address

But under show crypto gdoi -

    Rekeys received
         Cumulative          : 0
         After registration  : 0

Was wondering if this is a type of bug that someone has come across?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dsandre-toh Thu, 05/27/2010 - 10:44
User Badges:

hi, your isa lifetime should be 1200 on the GMs but defaulted on the KS (86400) - the GM value will take precedence.  the tek life on KS should be 7200sec and the kek should be default of 86400.


This Discussion

Related Content