Hi everyone, in next days i'll deploy the Get Vpn solution for one of our most critical customers i think that the design is not realiable at all aspects beacuse the design team are considering only one key server so....what happen if this single key server goes down??... the interesting traffic will be dropped or the interesnting traffic will go ahead but unencrypted????? we have the time over us and i have been searching in many pdf's og the get vpn solution but i cant get the answer of my question, please help me!!
Re: Get VPN Deployment with a single key server!!!
First as you have noted already, having a single Key Server is probably not a good idea when it comes to redundancy requirements. That said, with GETVPN, it operates in 2 modes in the current implementation:
2. Fail-open mode. By default, a GM operates in fail-open mode (ie., will forward unencrypted traffic) until the first successful registration with the Key Server, after which it will operate in fail-close mode.
If you want to have complete fail-open, ie., if a GM fails to receiver TEK after the initial registration, then you'd need to deploy something like EEM to enforce that policy. The idea is to use an EEM applet to force a "clear crypto gdoi" when the GM fails to receive rekey messages based on the user defined threshold. I would recommend you open a TAC case if this is what you want to do and if you are somewhat new to either EEM or GETVPN.
Also, check out the GETVPN Design and Implementation Guide, which provides a lot more detailed information on this.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...