COOP server configuration in GM's

Unanswered Question
Jan 21st, 2010
User Badges:

Hi Support,


Getting strucked in configuration of redundant KS. Primary KS is working working fine in all GM's, but when trying to add the another key server in GM it show only one. Not showing beth key server IP in a single group. However Cisco refrence guide recomands to use both on same Group for redundency. Below configuration i found in Cisco refrence guide.



crypto gdoi group getvpn

identity number 1234

server address ipv4 100.1.1.1

server address ipv4 100.1.1.5


Trying to add both server address (KS and COOP KS) but showing only one.


Kindly update me, if some one have any idea to resolve the issue.


Thanks in advance.


Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Thu, 01/21/2010 - 06:41
User Badges:
  • Purple, 4500 points or more

I assume you're only seeing one when viewing the isakmp or ipsec SAs? That is normal. It will only show the one it has established with. If that one goes down, it will establish to the other and you will then see only that one.


Hope that helps.

iqbal-zeeshan Thu, 01/21/2010 - 10:05
User Badges:

Dear Collin,


Thanks for your prompt reply, i think you didn't get me. The configuration which i shown in my above posts, that should be like in my GM. But its not happening like that. When i am trying to configure another server in a smae group of GM, the first one is removing. Means i can configure only 1 Key server at a time in my router. Last one always removing from the configuration.


Kindly advice me how i can configure to server IP (KS & Coop KS) in one group, so that i becomes redundant.


Thanks in advance.


Regards

Collin Clark Thu, 01/21/2010 - 11:11
User Badges:
  • Purple, 4500 points or more

I'm not sure I understand yet. You're entering


crypto gdoi group getvpn

identity number 1234

server address ipv4 100.1.1.1

server address ipv4 100.1.1.5

on the GM, but it is failing to take 100.1.1.5? Is that correct?

iqbal-zeeshan Thu, 01/21/2010 - 11:15
User Badges:

Thanks for your reply... Yes you got it right.. even when i was trying to add 100.1.1.5 than the above one 10.1.1.1 is disappearing and i can only see new one at a time.


Regards

Collin Clark Thu, 01/21/2010 - 11:22
User Badges:
  • Purple, 4500 points or more

Strange. I just tested on my spare router and it went in fine. What version of IOS are you running?


Just as an FYI what I did for redundancy was point all GM's to a single loopback that is configured on both KS. The failover is extremely fast (1-3s) whereas the second server address failover took 30-45s.

iqbal-zeeshan Thu, 01/21/2010 - 11:31
User Badges:

Thanks for your reply.. I m not sure that which one version of IOS running in this router beacuse now i am far from the router. I will let you know later but the Router Models are 2811 and 3825 for all GM with thier default IOS. Can you please reply me which one model of router you have with the IOS. Does it matter for IOS that Primary KS is working fine and COOS KS cannot adding.


Regards

Collin Clark Thu, 01/21/2010 - 11:33
User Badges:
  • Purple, 4500 points or more

Can you explain what you mean by COOS KS cannot adding? What is being added on the COOP KS?

iqbal-zeeshan Thu, 01/21/2010 - 11:37
User Badges:

Sorry .. its COOP KS. Cooperative Key Servers, means secondary KS.

Collin Clark Thu, 01/21/2010 - 11:38
User Badges:
  • Purple, 4500 points or more

I think I get it.


crypto gdoi group GETVPN
identity number 12345
server local
  rekey retransmit 40 number 2
  rekey authentication mypubkey rsa SOME_CERT
  rekey transport unicast
  sa ipsec 1
   profile PROFILE4IPSEC
   match address ipv4 ENCRYPTION
   replay counter window-size 64
  address ipv4 10.10.0.2
  redundancy
   local priority 100
   peer address ipv4 10.10.0.3


Are you adding a second address where it's highlighted red above?

iqbal-zeeshan Thu, 01/21/2010 - 11:46
User Badges:

Yes.. i configured both primary and secondary KS and its working fine.. i checked the status of both KS (sh cry gdoi ks). They are working fine according to their Priorities. But just remaining thing is  to only adding this secondary IP in group.


Regards

Collin Clark Thu, 01/21/2010 - 11:51
User Badges:
  • Purple, 4500 points or more

So the first IP is the address of the other KS, what is the second IP for?

iqbal-zeeshan Thu, 01/21/2010 - 11:57
User Badges:

First IP address is the same router interface KS ( 10.1.1.1) and peer address the Secondary KS (10.1.1.5).


In secondary KS first IP address is the secondary KS interface (10.1.1.5) and peer is primary interface (10.1.1.1)

Collin Clark Thu, 01/21/2010 - 12:01
User Badges:
  • Purple, 4500 points or more

There's no need to enter its own IP as a peer. It's IP is defined by the address ipv4 10.1.1.1 command. All you need to enter is the IP of the other KS.

iqbal-zeeshan Thu, 01/21/2010 - 12:20
User Badges:

Yes.. i already configured like that.. peer is added as next KS. But i think issue is in GM to adding both KS in single group.


Regards

Collin Clark Thu, 01/21/2010 - 13:21
User Badges:
  • Purple, 4500 points or more

Can you post the GETVPN config on one of your GMs?

iqbal-zeeshan Fri, 01/22/2010 - 01:48
User Badges:

Hi,


Kindly check the below configuration of GM. Just confusing how to add secondary KS IP in the defined group.


crypto isakmp policy 10

encr aes

group 2

authentication pre-share

crypto isakmp key cisco address 100.1.1.1

crypto isakmp key cisco address 100.1.1.5

!

crypto gdoi group getvpn

identity number 1234

server address ipv4 100.1.1.1

!

crypto map getvpn-map 10 gdoi

set group getvpn

Regards

Collin Clark Fri, 01/22/2010 - 08:04
User Badges:
  • Purple, 4500 points or more

It has to be something with your IOS version.


Router(config)#
Router(config)#!
Router(config)#crypto isakmp policy 10
Router(config-isakmp)#encr aes
Router(config-isakmp)#group 2
Router(config-isakmp)#authentication pre-share
Router(config-isakmp)#crypto isakmp key cisco address 100.1.1.1
Router(config)#crypto isakmp key cisco address 100.1.1.5
Router(config)#!
Router(config)#crypto gdoi group getvpn
Router(config-gdoi-group)#identity number 1234
Router(config-gdoi-group)#server address ipv4 100.1.1.1
Router(config-gdoi-group)#server address ipv4 100.1.1.5
Router(config-gdoi-group)#!
Router(config-gdoi-group)#crypto map getvpn-map 10 gdoi
% NOTE: This new crypto map will remain disabled until a valid
        group has been configured.
Router(config-crypto-map)#set group getvpn
Router(config-crypto-map)#
Router(config-crypto-map)#^Z


From a 871 running 12.4(24)T. If you can get the IOS version, we can check it out further.

iqbal-zeeshan Fri, 01/22/2010 - 11:17
User Badges:

Hi,


Thanks for your reply, fortunately its seems to be like same configuration. I am already using IOS 12.4 (24)T and later released. Is there any limitation of IOS to add secondary KS in router.


Regards

Collin Clark Fri, 01/22/2010 - 11:26
User Badges:
  • Purple, 4500 points or more

No, the example in my previous post is a cut-n-paste from a test router. What is your hardware platform? Are you getting this on all routers or just one?

iqbal-zeeshan Sat, 01/23/2010 - 04:46
User Badges:

Hi,


I think its an IOS issue in all GMs. I verfied that to change one of the GM IOS and secondary IP is added now.


Regarding the redundency or shifting of Primary KS to Secondary KS in GM, is it fisible to configure both KS on loopback interfaces.


Regards

Collin Clark Mon, 01/25/2010 - 06:31
User Badges:
  • Purple, 4500 points or more

If you check out the design doc for GETVPN, using the loopbacks is one of the suggested ways for adding redundancy.

Collin Clark Mon, 01/25/2010 - 06:30
User Badges:
  • Purple, 4500 points or more

IMO you should upgrade to at least 12.4(25).

iqbal-zeeshan Sun, 01/31/2010 - 01:01
User Badges:

Hi,


Good Day. I changed the IOS of GM's and configured all groups with secondary IP address, but when the primary KS becomes down COOP is not getting as a backup. All session of GM's beacomes IDLE with the primary KS until it comes up. Any idea about that issue.


Regards

Collin Clark Mon, 02/01/2010 - 07:32
User Badges:
  • Purple, 4500 points or more

That's the same thing I experienced. I believe you have to wait for the SA to expire then the router will query the first configured KS and after it fails it queries the KS and finally establishes. That's why I went with using loopbacks. The loopback IP is always available on all KS (routing determines which KS to go to). Failover is nearly instant.

iqbal-zeeshan Mon, 02/01/2010 - 10:46
User Badges:

Hi,


Thanks for your reply, if my SA expires lifetime is 1 day. So i have to wait for 1 day to expire the session with KS and establish with COOP (just kidding). Can u plz send me some sample configuration to connect all GM with loopback KS IP's.


Regards

iqbal-zeeshan Sun, 02/07/2010 - 13:37
User Badges:

Hi Collin,


Good Day. I configured the both Key Servers on loopback IP address and configured GM policy as per loopback ip's. When primary KS becomes down, Secondary is showing as primary and working fine within few seconds. But GM shows the attached error during the GDOI sessions.


Kindly review the attached error logs.


Regards

Attachment: 
iqbal-zeeshan Mon, 02/08/2010 - 12:42
User Badges:

Hi,


Thanks for your reply, after clearing the session it becomes connected with available KS. If IKE policies are mismatching, so i belive it shouldn't be connected just clearing the session.


Regards

Actions

This Discussion