cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2480
Views
0
Helpful
30
Replies

COOP server configuration in GM's

iqbal-zeeshan
Level 1
Level 1

Hi Support,

Getting strucked in configuration of redundant KS. Primary KS is working working fine in all GM's, but when trying to add the another key server in GM it show only one. Not showing beth key server IP in a single group. However Cisco refrence guide recomands to use both on same Group for redundency. Below configuration i found in Cisco refrence guide.

crypto gdoi group getvpn

identity number 1234

server address ipv4 100.1.1.1

server address ipv4 100.1.1.5

Trying to add both server address (KS and COOP KS) but showing only one.

Kindly update me, if some one have any idea to resolve the issue.

Thanks in advance.

Regards

30 Replies 30

Collin Clark
VIP Alumni
VIP Alumni

I assume you're only seeing one when viewing the isakmp or ipsec SAs? That is normal. It will only show the one it has established with. If that one goes down, it will establish to the other and you will then see only that one.

Hope that helps.

Dear Collin,

Thanks for your prompt reply, i think you didn't get me. The configuration which i shown in my above posts, that should be like in my GM. But its not happening like that. When i am trying to configure another server in a smae group of GM, the first one is removing. Means i can configure only 1 Key server at a time in my router. Last one always removing from the configuration.

Kindly advice me how i can configure to server IP (KS & Coop KS) in one group, so that i becomes redundant.

Thanks in advance.

Regards

I'm not sure I understand yet. You're entering

crypto gdoi group getvpn

identity number 1234

server address ipv4 100.1.1.1

server address ipv4 100.1.1.5

on the GM, but it is failing to take 100.1.1.5? Is that correct?

Thanks for your reply... Yes you got it right.. even when i was trying to add 100.1.1.5 than the above one 10.1.1.1 is disappearing and i can only see new one at a time.

Regards

Strange. I just tested on my spare router and it went in fine. What version of IOS are you running?

Just as an FYI what I did for redundancy was point all GM's to a single loopback that is configured on both KS. The failover is extremely fast (1-3s) whereas the second server address failover took 30-45s.

Thanks for your reply.. I m not sure that which one version of IOS running in this router beacuse now i am far from the router. I will let you know later but the Router Models are 2811 and 3825 for all GM with thier default IOS. Can you please reply me which one model of router you have with the IOS. Does it matter for IOS that Primary KS is working fine and COOS KS cannot adding.

Regards

Can you explain what you mean by COOS KS cannot adding? What is being added on the COOP KS?

Sorry .. its COOP KS. Cooperative Key Servers, means secondary KS.

I think I get it.

crypto gdoi group GETVPN
identity number 12345
server local
  rekey retransmit 40 number 2
  rekey authentication mypubkey rsa SOME_CERT
  rekey transport unicast
  sa ipsec 1
   profile PROFILE4IPSEC
   match address ipv4 ENCRYPTION
   replay counter window-size 64
  address ipv4 10.10.0.2
  redundancy
   local priority 100
   peer address ipv4 10.10.0.3

Are you adding a second address where it's highlighted red above?

Yes.. i configured both primary and secondary KS and its working fine.. i checked the status of both KS (sh cry gdoi ks). They are working fine according to their Priorities. But just remaining thing is  to only adding this secondary IP in group.

Regards

So the first IP is the address of the other KS, what is the second IP for?

First IP address is the same router interface KS ( 10.1.1.1) and peer address the Secondary KS (10.1.1.5).

In secondary KS first IP address is the secondary KS interface (10.1.1.5) and peer is primary interface (10.1.1.1)

There's no need to enter its own IP as a peer. It's IP is defined by the address ipv4 10.1.1.1 command. All you need to enter is the IP of the other KS.

Yes.. i already configured like that.. peer is added as next KS. But i think issue is in GM to adding both KS in single group.

Regards

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: