ok... Thanks Tyson... will check this out and let you know....
From: [email protected]
To: [email protected]; [email protected]
CC: [email protected]
Subject: RE: [OSL | CCIE_Security] GETVPN multicast server on Inside of
Multicontext ASA
Date: Wed, 12 May 2010 10:25:22 -0400
Don't use unnumbered on the tunnel. Configure IP's on the interfaces
You only need the mroute on the group member as the mroute is to fix RPF
checks. Remove the mroute from the key server.
Then add a static group member ship on both and test pings to see if it is
working
"ip igmp join-group 239.1.1.1"
If it works then remove it and set the rekey to the minimum of 5 minutes and
see if it works.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: [email protected]
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
From: [email protected]
[mailto:[email protected]] On Behalf Of Sumit Mahla
Sent: Wednesday, May 12, 2010 6:33 AM
To: [email protected]
Cc: [email protected]
Subject: Re: [OSL | CCIE_Security] GETVPN multicast server on Inside of
Multicontext ASA
Brandon this is the output of GM's.... They register successfully.... but after
failing rekey.... they again register... i did the same config two days
back..... it was working... none or GM is receiving rekeys.... on KS it pops
ups sending rekey but it does not reach the GM...
i am missing something... that's for sure...
SECUREME-R2#sh crypto gdoi gm rekey
Group mygroup (Multicast)
Number of Rekeys received (cumulative) : 0
Number of Rekeys received after registration : 0
Rekey (KEK) SA information :
dst src conn-id my-cookie
his-cookie
New : 239.0.1.2 123.123.3.1 1008 B59B8ED3 90378E43
Current : --- --- --- --- ---
Previous: --- --- --- --- ---
ip multicast-routing
interface Tunnel41
ip unnumbered Serial0/1/0.2
ip pim dense-mode
tunnel source Serial0/1/0.2
tunnel destination 123.123.3.1
interface Serial0/1/0.2 multipoint
ip address 123.123.41.1 255.255.255.0
ip pim dense-mode
ip ospf network broadcast
frame-relay map ip 123.123.41.2 214 broadcast
crypto map GMAP
ip mroute 123.123.3.1 255.255.255.255 Tunnel41
SECUREME-R3#sh crypto gdoi gm rekey
Group mygroup (Multicast)
Number of Rekeys received (cumulative) : 0
Number of Rekeys received after registration : 0
Rekey (KEK) SA information :
dst src conn-id my-cookie his-cookie
New : 239.0.1.2 123.123.3.1 1005 02DF4C08 977A3340
Current : --- --- --- --- ---
Previous: --- --- --- --- ---
ip multicast-routing
interface Serial0/0/0
ip address 123.123.41.2 255.255.255.0
ip pim dense-mode
encapsulation frame-relay
ip ospf network broadcast
frame-relay map ip 123.123.41.1 412 broadcast
crypto map GMAP
Subject: Re: [OSL | CCIE_Security] GETVPN multicast server on Inside of
Multicontext ASA
From: [email protected]
Date: Wed, 12 May 2010 12:12:44 +0200
CC: [email protected]
To: [email protected]
I'd need to see what's on the other end of the tunnel. I can see that the KS
is running multicast but what about the GM? Is the GM failing the RPF check
back the to KS?
Regards,
Brandon Carroll - CCIE #23837
Senior Technical Instructor - IPexpert
Mailto: [email protected]
Telephone: +1.810.326.1444
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, Audio
Tools, Online Hardware Rental and Classroom Training for the Cisco CCIE (R&S,
Voice, Security & Service Provider) certification(s) with training locations
throughout the United States, Europe, South Asia and Australia. Be sure to
visit our online communities at www.ipexpert.com/communities and our public
website at www.ipexpert.com
Platinum Solutions Group (PSG) provides high-end consulting services with a
primary emphasis on Cisco's Data Center Solutions, Service Provider Solutions,
Unified Communications and Security-enabled infrastructures. Be sure to visit
www.platinumsolutionsgroup.com.
On May 12, 2010, at 12:09 PM, Sumit Mahla wrote:
Any Suggestions?
From: [email protected]
To: [email protected]
Date: Wed, 12 May 2010 13:56:21 +0530
Subject: [OSL | CCIE_Security] GETVPN multicast server on Inside of
Multicontext ASA
Hello All,
I configured GETVPN key server on the inside of ASA, and GM on outside...
GM are able to register.... (port 500 and 848 for udp are opened on the ASA)
but for multicast rekey's i configured a multicast tunnel with the follwoing
config....
ON KEY SERVER (config apart from getvpn)
ip multicast-routing
int tun15
ip unnumb f0/0
ip pim dense-mode
tunnel sou f0/0
tunn destination 123.123.41.1
int f0/0
ip pim dense-mode
ip mroute 123.123.41.1 255.255.255.255 tun15
same kind of gre config on one of the GM...
I opened gre any any on ASA... the same config was working few days back.. but
today its not...
Could you please suggest ?
Invest your money wisely post Budget Sign up now.
All the post budget analysis and implications Sign up now.
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
The battle for the FIH Hockey World Cup Drag n' drop
_________________________________________________________________
South Cinema This Decade
http://entertainment.in.msn.com/southcinemathisdecade/_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
