Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Get VPN Deployment with a single key server!!!

Hi everyone, in next days i'll deploy the Get Vpn solution for one of our most critical customers i think that the design is not realiable at all aspects beacuse the design team are considering only one key server so....what happen if this single key server goes down??... the interesting traffic will be dropped or the interesnting traffic will go ahead but unencrypted????? we have the time over us and i have been searching in many pdf's og the get vpn solution but i cant get the answer of my question, please help me!!



Cisco Employee

Re: Get VPN Deployment with a single key server!!!


First as you have noted already, having a single Key Server is probably not a good idea when it comes to redundancy requirements. That said, with GETVPN, it operates in 2 modes in the current implementation:

1. Fail-close mode. When configured in fail-close mode, a GM will assume all traffic is to be encrypted unless explicitly configured otherwise. The GM will drop all unencrypted traffic in this mode. See

2. Fail-open mode. By default, a GM operates in fail-open mode (ie., will forward unencrypted traffic) until the first successful registration with the Key Server, after which it will operate in fail-close mode.

If you want to have complete fail-open, ie., if a GM fails to receiver TEK after the initial registration, then you'd need to deploy something like EEM to enforce that policy. The idea is to use an EEM applet to force a "clear crypto gdoi" when the GM fails to receive rekey messages based on the user defined threshold. I would recommend you open a TAC case if this is what you want to do and if you are somewhat new to either EEM or GETVPN.

Also, check out the GETVPN Design and Implementation Guide, which provides a lot more detailed information on this.

Hope this helps.



CreatePlease to create content