01-21-2010 04:44 AM
Hi Support,
Getting strucked in configuration of redundant KS. Primary KS is working working fine in all GM's, but when trying to add the another key server in GM it show only one. Not showing beth key server IP in a single group. However Cisco refrence guide recomands to use both on same Group for redundency. Below configuration i found in Cisco refrence guide.
crypto gdoi group getvpn
identity number 1234
server address ipv4 100.1.1.1
server address ipv4 100.1.1.5
Trying to add both server address (KS and COOP KS) but showing only one.
Kindly update me, if some one have any idea to resolve the issue.
Thanks in advance.
Regards
01-21-2010 06:41 AM
I assume you're only seeing one when viewing the isakmp or ipsec SAs? That is normal. It will only show the one it has established with. If that one goes down, it will establish to the other and you will then see only that one.
Hope that helps.
01-21-2010 10:05 AM
Dear Collin,
Thanks for your prompt reply, i think you didn't get me. The configuration which i shown in my above posts, that should be like in my GM. But its not happening like that. When i am trying to configure another server in a smae group of GM, the first one is removing. Means i can configure only 1 Key server at a time in my router. Last one always removing from the configuration.
Kindly advice me how i can configure to server IP (KS & Coop KS) in one group, so that i becomes redundant.
Thanks in advance.
Regards
01-21-2010 11:11 AM
I'm not sure I understand yet. You're entering
crypto gdoi group getvpn
identity number 1234
server address ipv4 100.1.1.1
server address ipv4 100.1.1.5
on the GM, but it is failing to take 100.1.1.5? Is that correct?
01-21-2010 11:15 AM
Thanks for your reply... Yes you got it right.. even when i was trying to add 100.1.1.5 than the above one 10.1.1.1 is disappearing and i can only see new one at a time.
Regards
01-21-2010 11:22 AM
Strange. I just tested on my spare router and it went in fine. What version of IOS are you running?
Just as an FYI what I did for redundancy was point all GM's to a single loopback that is configured on both KS. The failover is extremely fast (1-3s) whereas the second server address failover took 30-45s.
01-21-2010 11:31 AM
Thanks for your reply.. I m not sure that which one version of IOS running in this router beacuse now i am far from the router. I will let you know later but the Router Models are 2811 and 3825 for all GM with thier default IOS. Can you please reply me which one model of router you have with the IOS. Does it matter for IOS that Primary KS is working fine and COOS KS cannot adding.
Regards
01-21-2010 11:33 AM
Can you explain what you mean by COOS KS cannot adding? What is being added on the COOP KS?
01-21-2010 11:37 AM
Sorry .. its COOP KS. Cooperative Key Servers, means secondary KS.
01-21-2010 11:38 AM
I think I get it.
crypto gdoi group GETVPN
identity number 12345
server local
rekey retransmit 40 number 2
rekey authentication mypubkey rsa SOME_CERT
rekey transport unicast
sa ipsec 1
profile PROFILE4IPSEC
match address ipv4 ENCRYPTION
replay counter window-size 64
address ipv4 10.10.0.2
redundancy
local priority 100
peer address ipv4 10.10.0.3
Are you adding a second address where it's highlighted red above?
01-21-2010 11:46 AM
Yes.. i configured both primary and secondary KS and its working fine.. i checked the status of both KS (sh cry gdoi ks). They are working fine according to their Priorities. But just remaining thing is to only adding this secondary IP in group.
Regards
01-21-2010 11:51 AM
So the first IP is the address of the other KS, what is the second IP for?
01-21-2010 11:57 AM
First IP address is the same router interface KS ( 10.1.1.1) and peer address the Secondary KS (10.1.1.5).
In secondary KS first IP address is the secondary KS interface (10.1.1.5) and peer is primary interface (10.1.1.1)
01-21-2010 12:01 PM
There's no need to enter its own IP as a peer. It's IP is defined by the address ipv4 10.1.1.1 command. All you need to enter is the IP of the other KS.
01-21-2010 12:20 PM
Yes.. i already configured like that.. peer is added as next KS. But i think issue is in GM to adding both KS in single group.
Regards
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: