Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

GETVPN and backup connection fail-back.

I've been running with GETVPN for a few months now and all seems to be good. I am running into one annoyance however...

If my branch's WAN connection goes down, I use a Verizon 4G connection to create an IPSEC tunnel back to my datacenter. The problem I'm seeing is that when the WAN comes back up, EIGRP establishes (because I have it excluded in the fail-close), and then the branch goes down for a while during the time betwen GDOI registrations to the Key servers. This is because route across the WAN is preferred over route from the VPN (EIGRP vs EIGRP EX)

The Question I have for others using GETVPN: Do you typically require EIGRP to be encrypted? Is there a way I can get around this issue? Can I lower a timer somewhere to make GDOI re-register at a shorter interval?

I haven't been able to get the branch router to register to the KS via the VPN. I have it explicitely allowed in my Crypto ACLs, NAT excluded, and it has access to the KS via the VPN, but it will not register. Is there a way to get it to register across the VPN?

How have others handled this situation? Thanks!

Everyone's tags (2)
Cisco Employee

Re: GETVPN and backup connection fail-back.

Wellll a simple EEM with "clear crypto gdoi" would most likely solve your problem, it's just a quesiton of how you track up/down status of WAN. 

Typically you don't encrypt your RP because PE router does not participate in GET.

You might be interested in dampening, but it heavily depends on the type of typical failure -it should work pretty OK with EIGRP.


regarding registration over another IPsec tunnel ... you can TRY to play with "client registration interface" but I'm not sure if this is what you REALLY want to achieve ;]

CreatePlease to create content