Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

GET VPN key server

Hi All,

We are testing the GET VPN scenario over the MPLS infrastructure by using 2 key servers. In the one of the key server, we defined the local priority greater than the other key server. The key servers among themselves choosed the higher priority defined key server as the primary.

In the group member configuration, we defined the key server addresses in the order of primary and secondary.

When we unplug the primary key server and all the members of that group registers with the secondary key server and when the primary key server came back, the member registration shows with the secondary key server. Is there a way like in HSRP to preempt to the primary key server.

Second thing is, when we unplug the secondary key server, the members who were registered to secondary key server still shows registration with that key server irrespective that key server goes down. Is that a normal thing ?

Kindly assist us.

Thanking You

Regards

Anantha Subramanian Natarajan

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: GET VPN key server

Anantha,

The GM shows the 'Active' KS from the Group Server List as the KS that the GM LAST registered with. It doesn't mean the GM will re-register with this KS first should it fail to get a rekey. The GM always starts at the top of it's ordered list.

Scott Wainner

3 REPLIES
Cisco Employee

Re: GET VPN key server

Anantha,

Two components here: KS priorities and GM preferences. They are independent.

KS uses priorities to determine which KS will be come primary. When a KS boots, it assumes the secondary role and never preempts the current primary KS. If the KS were partitioned, then the priority comes into play.

GM use an ordered list to register to the one or more of the KS. If the GM needs to register (theoretically, the GM should never re-register), it starts at the top of the list and works it's way down the list of potential KS. This allows you to distribute the registration of sets of GM across multiple KS. This is only important when you exceed the registration rate of a KS. The maximum registration rate occurs when all or a large set of GM failed to get a rekey message and they all try to re-register at roughly the same time. This process can be distributed across multiple KS to increase scalability of the system.

Scott Wainner

Cisco Employee

Re: GET VPN key server

Anantha,

The GM shows the 'Active' KS from the Group Server List as the KS that the GM LAST registered with. It doesn't mean the GM will re-register with this KS first should it fail to get a rekey. The GM always starts at the top of it's ordered list.

Scott Wainner

Community Member

Re: GET VPN key server

Hi Scott,

ohh,,I inferred the same latter and now its good to get confirmed.

Thankyou

Regards

Anantha Subramanian Natarajan

276
Views
0
Helpful
3
Replies
CreatePlease to create content