Im trying a GETVPN/DMVPN setup with two KeyServers and two DMVPN Hubs.
(And a few spokes for testing).
Having the setup all up and running it works fine. The two GET-Keyservers are configured as per. Cisco guide,
and they are setup with a primary KS and a coop secondary.
The problem is, that when I power of Keyserver 1 (primary) to test an power outage, Keyserver 2 takes on the role
as the new key-server, but new spokes that are booted up, seems to be getting wrong IPSEC IDs.
I get this error on all routers that starts participating as GMs :
%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<ip of spoke>, prot=50, spi=0x889642C4(2291548868), srcaddr=<IP of hub>
So it looks like the SPI is different from routers having been members of Keyserver1, and for routers that are members of Keyserver2.
I have checked the two Keyserver routers when they are both up and alive, and all seems to be ok.
Software is 12.4(11)T