My current setup is 1 KS, 19 GM. The KS sits BEHIND a GM, so all other GMs have to come through one GM to get to KS.
Now, I have purchased two dedicated KS routers. I configured one today, and placed it right on my WAN. My WAN is a L2 Ethernet domain, so i just provisioned a switch port in the WAN vlan, and away we go. I copied RSA keys over from the current KS, configured redundancy and the two hooked up, saw each other and it seems to be good to go. For the ACL, I put in an exclustion for my two KS to talk to each other:
deny ip host 192.168.250.40 host 192.168.250.41 (Old IP, New IP)
deny ip host 192.168.250.41 host 192.168.250.40.
I used a test router and pointed it to the new KS, it registered without a hitch... HOWEVER about two hours later (my 7200 second timeout) I lost ALL my branches. My 18 other GM were still pointed to the OLD IP only, they didnt have the second IP configured yet. In a hurry, I quickly disabled the redundancy configuration on the old KS and had to go to each GM and do a 'clear crypto gdoi' on each one to get them to re-register. There were no log messages about not being able to rekey, no log messages about dropped peerings, nothing. Once I did that, everything returned to normal. Note: NOTHING else changed other than the things I noted above. Had I more time and all my branches weren't down, I probably would have tried clearing manually FIRST, but I didnt have that opportunity. I just removed anythign i had changed in an effort to get back to normal.
The Question I have...
Would having configured the redundant KS caused this problem? Would having one KS behind a GM and the other Coop KS in the WAN make a difference? ANy thoughts on WHY I experienced the above behavior?
Ok, thanks for the info. Yeah, I'm not sure if that's what happened or not. I made sure that the existing KS had a priority of 200 and the new one had a priority of 150, theoretically, the old one should've been the only one to give keys. Besides, none of the GM even knew about the new KS. So, if i understand your rule of thumb, It's a good thing I'm putting the new KS right on the WAN? so the GMs can talk right to it without going through any other GMs.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...