Hello to the community!
We have deployed GETVPN with 4 KS (1 primary, 3 coop) in the same location. My understanding was that eventhough one gm could register to any of the KS (according to the order with which they have been configured on the gm) the ACL would always be downloaded from the primary KS. In practice I have seen that sometimes the gm registers to a KS and also gets its ACL from the same KS. Is there something I am missing or is this expected behaviour?
Thank you in advance
I think the policy ACL is downloaded from the registered KS, but the ACL was pushed from primary KS. Not sure if you can run some simple test in your network. Let's make some policy changes only on the primary KS, that should trigger a rekey to all GMs. After the rekey, we check the download ACL on GMs, see if it is the new policy ACL(only on primary KS) or the old policy ACL(on secondary KS).