Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

GETVPN Question

Hello to the community!

We have deployed GETVPN with 4 KS (1 primary, 3 coop) in the same location. My understanding was that eventhough one gm could register to any of the KS (according to the order with which they have been configured on the gm) the ACL would always be downloaded from the primary KS. In practice I have seen that sometimes the gm registers to a KS and also gets its ACL from the same KS. Is there something I am missing or is this expected behaviour?

Thank you in advance

Katerina

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: GETVPN Question

Hi Katerina,

I think the policy ACL is downloaded from the registered KS, but the ACL was pushed from primary KS. Not sure if you can run some simple test in your network. Let's make some policy changes only on the primary KS, that should trigger a rekey to all GMs. After the rekey, we check the download ACL on GMs, see if it is the new policy ACL(only on primary KS) or the old policy ACL(on secondary KS).

Regards,

Lei Tian

1 REPLY
Cisco Employee

Re: GETVPN Question

Hi Katerina,

I think the policy ACL is downloaded from the registered KS, but the ACL was pushed from primary KS. Not sure if you can run some simple test in your network. Let's make some policy changes only on the primary KS, that should trigger a rekey to all GMs. After the rekey, we check the download ACL on GMs, see if it is the new policy ACL(only on primary KS) or the old policy ACL(on secondary KS).

Regards,

Lei Tian

166
Views
0
Helpful
1
Replies