cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1879
Views
9
Helpful
8
Replies

GETVPN

dsandre-toh
Level 1
Level 1

Doing some testing before live implementation, have a small GETVPN lab network, single KS, 5 GMs, all at 12.4(15)T10.  All encryption,routing,etc. is working fine except for something odd that I noticed.

From Key server;

C2851_Key_Srvr#sh cry gd ks me

Group Member Information :

Number of rekeys sent for group GETVPN : 170

Group Member ID   : 172.16.1.1

Group ID          : 1234

Group Name        : GETVPN

Key Server ID     : 172.16.0.1

Rekeys sent       : 170

Rekeys retries    : 0

Rekey Acks Rcvd   : 170

Rekey Acks missed : 0

Sent seq num :    2    1    0    0

Rcvd seq num :    2    1    0    0

......

......

From Group Member:

*May 17 09:34:43.574: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 1

*May 17 09:55:33.701: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 2

*May 17 11:20:39.221: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 1

*May 17 11:55:34.433: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 2

*May 17 13:06:34.865: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 1

*May 17 13:55:35.164: %GDOI-5-GM_RECV_REKEY: Received Rekey for group PGroupfrom 172.16.0.1 to 172.16.4.1 with seq # 2

....  the sent & rcvd sequence numbers never go higher than 2.  In fact, they repeat the pattern: 1,2,1,2,1,2.....forever.

This is odd behavior as the Design & Implementation Guide, section: 5.3.3.2 states:

.......

.......

If all GMs in the GET VPN group reply back to a unicast rekey, rekey syslog messages are displayed with consecutive incrementing sequence numbers.   <<<<<<<<<<<<<<< !!!!!!

.......

.......

If syslog does not show the rekey sequence numbers incrementing properly (last sequence number + 1), this indicates that the primary KS is sending out some rekey retransmissions because ACKs from some GMs is not being received.

This implies, seq #s should increase 1,2,3,4,5........

Anyone shed any light on this issue? Is it a real problem or no?

much appreciated !!

DJS

1 Accepted Solution

Accepted Solutions

hdashnau
Cisco Employee
Cisco Employee

In the "sh cry gd ks me" output you sent, it looks like the KS sent 170 rekey messages and received all 170 rekey ACKS. Based on this, nothing looks awry. You could be seeing the repetition because a KEK rekey resets the sequence number to 1. A KEK rekey is when a new KEK is generated and possible new TEKS depending on their lifetime. All consecutive TEK rekeys increment from there. Examine your lifetimes for KEK and TEK, but based on the syslog timestamps Im guessing this is probably what the explanation is.

Just to be on the safe side, I would keep an eye out on your GMs in your test environment and monitor to see one or more is trying to re-register when the IPSec SAs are about to expire (about 60 seconds before) as this would indicate a problem with not receiving the rekeys.

View solution in original post

8 Replies 8

hdashnau
Cisco Employee
Cisco Employee

In the "sh cry gd ks me" output you sent, it looks like the KS sent 170 rekey messages and received all 170 rekey ACKS. Based on this, nothing looks awry. You could be seeing the repetition because a KEK rekey resets the sequence number to 1. A KEK rekey is when a new KEK is generated and possible new TEKS depending on their lifetime. All consecutive TEK rekeys increment from there. Examine your lifetimes for KEK and TEK, but based on the syslog timestamps Im guessing this is probably what the explanation is.

Just to be on the safe side, I would keep an eye out on your GMs in your test environment and monitor to see one or more is trying to re-register when the IPSec SAs are about to expire (about 60 seconds before) as this would indicate a problem with not receiving the rekeys.

P.S. If I have answered your question please mark the post as resolved and rate the responses. This helps us more easily identify which questions remain unanswered and let us know how we are doing. Thanks in advance!

thanks for the suggestion........will review the timer values, change them & see how they impact the sequence numbers.

that was exactly the issue..........lifetimes for TEK & KEK were the same, they should not be........I changed tek=7200, kek=86400..........sequence numbers are incrementing as they should be !!!  thanks again for your help. !!!

If I have answered your question please mark the post as resolved and  rate the responses. This helps us more easily identify which questions  remain unanswered and let us know how we are doing. Thanks in advance!

Could I see a copy of your configurations. I want to jump into GetVPN and nothing will help my understanding more than working configurations, thanks.

here are a few lab configs, fairly straight forward, nothing fancy in terms of routing, etc. fairly flat topology for simple lab setup

Thanks much. Sorry the rating should have been five, I clicked too early.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: