[OSL | CCIE_Security] Weird GETVPN in DMVPN problem

Mon, 09 May 2011 02:23:14 -0700 

Hello,

In the GETVPN in DMVPN task of Vol2 Lab 17 Task 4.2, one of my router
doesn't install the GETVPN acl
and IPsec sa.

1. ISAKMP is coming up

R6(config)#do sho crypto isakmp sa
IPv4 Crypto ISAKMP SA
dst             src             state          conn-id status
239.1.24.56     1.1.1.1         GDOI_REKEY        1027 ACTIVE
1.1.1.1         192.24.56.6     GDOI_IDLE         1024 ACTIVE

and I am receiving the GETVPN acl:

  R6(config)#do sho crypto gdoi
GROUP INFORMATION

    Group Name               : GETVPN
    Group Identity           : 12456
    Rekeys received          : 0
    IPSec SA Direction       : Both
    Active Group Server      : 1.1.1.1
    Group Server list        : 1.1.1.1

    GM Reregisters in        : 0 secs
    Rekey Received           : never


    Rekeys received
         Cumulative          : 0
         After registration  : 0

 ACL Downloaded From KS 1.1.1.1:
   access-list  permit ip any any

KEK POLICY:
    Rekey Transport Type     : Multicast
    Lifetime (secs)          : 94
    Encrypt Algorithm        : AES
    Key Size                 : 192
    Sig Hash Algorithm       : HMAC_AUTH_SHA
    Sig Key Length (bits)    : 1024

TEK POLICY for the current KS-Policy ACEs Downloaded:
  Tunnel2456:


But the IPsec SA is not installed:
R6(config)#do sho crypto gdoi ipsec sa

SA created for group GETVPN:
  Tunnel2456:

I'm seeing the following error message:

GDOI:INFRA:(GETVPN:0):GDOI update mtree can't find sadb_root
GDOI:INFRA:(GETVPN:0):GDOI install ipsec sa: can't find sadb_root

What do these errors mean?

Then, after the first rekey message is received, the IPsec SA is suddenly
instantiated:


R6(config)#do sho crypto gdoi ipsec sa

SA created for group GETVPN:
  Tunnel2456:
    protocol = ip
      local ident  = ANY, port = 0
      remote ident = ANY, port = 0
      direction: Both, replay: Disabled


This error is reproducible: just clear crypto gdoi; I will lose the traffic
SA after group registration completes.

This problem does not occur if I change the peering interface of the crypto
map

crypto map GETVPN local-address lo0
!---- peer with ip address 5.5.5.5 instead of 192.24.56.5 (as in the DSG).

I will get the IPsec SA installed successfully without waiting for a rekey
message.

This behaviour is so weird.

Any ideas?

Richard

_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com

Are you a CCNP or CCIE and looking for a job? Check out 
www.PlatinumPlacement.com

Reply via email to