Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

GETVPN - COOP KS Issue

Hi all,

Im trying a GETVPN/DMVPN setup with two KeyServers and two DMVPN Hubs.

(And a few spokes for testing).

Having the setup all up and running it works fine. The two GET-Keyservers are configured as per. Cisco guide,

and they are setup with a primary KS and a coop secondary.

The problem is, that when I power of Keyserver 1 (primary) to test an power outage, Keyserver 2 takes on the role

as the new key-server, but new spokes that are booted up, seems to be getting wrong IPSEC IDs.

I get this error on all routers that starts participating as GMs :

%CRYPTO-4-RECVD_PKT_INV_SPI: decaps: rec'd IPSEC packet has invalid spi for destaddr=<ip of spoke>, prot=50, spi=0x889642C4(2291548868), srcaddr=<IP of hub>

So it looks like the SPI is different from routers having been members of Keyserver1, and for routers that are members of Keyserver2.

I have checked the two Keyserver routers when they are both up and alive, and all seems to be ok.

Software is 12.4(11)T

Any ideas?

/KD

1 REPLY
New Member

Re: GETVPN - COOP KS Issue

Problem solved.

I upgraded my routers to 12.4(24)T2 and that solved the issue by making all SPI's identical.

/KD

559
Views
0
Helpful
1
Replies