GETVPN - COOP KS Issue

Unanswered Question
Jan 4th, 2010
User Badges:

Hi all,


Im trying a GETVPN/DMVPN setup with two KeyServers and two DMVPN Hubs.

(And a few spokes for testing).


Having the setup all up and running it works fine. The two GET-Keyservers are configured as per. Cisco guide,

and they are setup with a primary KS and a coop secondary.


The problem is, that when I power of Keyserver 1 (primary) to test an power outage, Keyserver 2 takes on the role

as the new key-server, but new spokes that are booted up, seems to be getting wrong IPSEC IDs.


I get this error on all routers that starts participating as GMs :

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<ip of spoke>, prot=50, spi=0x889642C4(2291548868), srcaddr=<IP of hub>


So it looks like the SPI is different from routers having been members of Keyserver1, and for routers that are members of Keyserver2.


I have checked the two Keyserver routers when they are both up and alive, and all seems to be ok.

Software is 12.4(11)T


Any ideas?


/KD

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
kelvindam Tue, 01/05/2010 - 10:03
User Badges:

Problem solved.


I upgraded my routers to 12.4(24)T2 and that solved the issue by making all SPI's identical.


/KD

Actions

This Discussion