GETVPN

Answered Question
May 18th, 2010

Doing some testing before live implementation, have a small GETVPN lab network, single KS, 5 GMs, all at 12.4(15)T10.  All encryption,routing,etc. is working fine except for something odd that I noticed.

From Key server;

C2851_Key_Srvr#sh cry gd ks me

Group Member Information :

Number of rekeys sent for group GETVPN : 170

Group Member ID   : 172.16.1.1

Group ID          : 1234

Group Name        : GETVPN

Key Server ID     : 172.16.0.1

Rekeys sent       : 170

Rekeys retries    : 0

Rekey Acks Rcvd   : 170

Rekey Acks missed : 0

Sent seq num :    2    1    0    0

Rcvd seq num :    2    1    0    0

......

......

From Group Member:

*May 17 09:34:43.574: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 1

*May 17 09:55:33.701: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 2

*May 17 11:20:39.221: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 1

*May 17 11:55:34.433: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 2

*May 17 13:06:34.865: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 1

*May 17 13:55:35.164: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 2

....  the sent & rcvd sequence numbers never go higher than 2.  In fact, they repeat the pattern: 1,2,1,2,1,2.....forever.

This is odd behavior as the Design & Implementation Guide, section: 5.3.3.2 states:

.......

.......

If all GMs in the GET VPN group reply back to a unicast rekey, rekey syslog messages are displayed with consecutive incrementing sequence numbers.   <<<<<<<<<<<<<<< !!!!!!

.......

.......

If syslog does not show the rekey sequence numbers incrementing properly (last sequence number + 1), this indicates that the primary KS is sending out some rekey retransmissions because ACKs from some GMs is not being received.

This implies, seq #s should increase 1,2,3,4,5........

Anyone shed any light on this issue? Is it a real problem or no?

much appreciated !!

DJS

I have this problem too.
0 votes
Correct Answer by hdashnau about 6 years 6 months ago

In the "sh cry gd ks me" output you sent, it looks like the KS sent 170 rekey messages and received all 170 rekey ACKS. Based on this, nothing looks awry. You could be seeing the repetition because a KEK rekey resets the sequence number to 1. A KEK rekey is when a new KEK is generated and possible new TEKS depending on their lifetime. All consecutive TEK rekeys increment from there. Examine your lifetimes for KEK and TEK, but based on the syslog timestamps Im guessing this is probably what the explanation is.

Just to be on the safe side, I would keep an eye out on your GMs in your test environment and monitor to see one or more is trying to re-register when the IPSec SAs are about to expire (about 60 seconds before) as this would indicate a problem with not receiving the rekeys.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.7 (3 ratings)
Loading.
Correct Answer
hdashnau Tue, 05/25/2010 - 15:15

In the "sh cry gd ks me" output you sent, it looks like the KS sent 170 rekey messages and received all 170 rekey ACKS. Based on this, nothing looks awry. You could be seeing the repetition because a KEK rekey resets the sequence number to 1. A KEK rekey is when a new KEK is generated and possible new TEKS depending on their lifetime. All consecutive TEK rekeys increment from there. Examine your lifetimes for KEK and TEK, but based on the syslog timestamps Im guessing this is probably what the explanation is.

Just to be on the safe side, I would keep an eye out on your GMs in your test environment and monitor to see one or more is trying to re-register when the IPSec SAs are about to expire (about 60 seconds before) as this would indicate a problem with not receiving the rekeys.

hdashnau Tue, 05/25/2010 - 16:11

P.S. If I have answered your question please mark the post as resolved and rate the responses. This helps us more easily identify which questions remain unanswered and let us know how we are doing. Thanks in advance!

dsandre-toh Wed, 05/26/2010 - 07:42

thanks for the suggestion........will review the timer values, change them & see how they impact the sequence numbers.

dsandre-toh Thu, 05/27/2010 - 10:36

that was exactly the issue..........lifetimes for TEK & KEK were the same, they should not be........I changed tek=7200, kek=86400..........sequence numbers are incrementing as they should be !!!  thanks again for your help. !!!

hdashnau Thu, 05/27/2010 - 10:42

If I have answered your question please mark the post as resolved and  rate the responses. This helps us more easily identify which questions  remain unanswered and let us know how we are doing. Thanks in advance!

KWillacey_2 Fri, 05/28/2010 - 10:48

Could I see a copy of your configurations. I want to jump into GetVPN and nothing will help my understanding more than working configurations, thanks.

KWillacey_2 Fri, 05/28/2010 - 13:53

Thanks much. Sorry the rating should have been five, I clicked too early.

Actions

This Discussion

Related Content