Hi Eugene, I don't have access to test at the moment, but I found that ISAKMP SAs would form w the secondary Key Server fine. It wasn't until the GDPOI rekey that the KS list would update.
Strangely enough the secondary KS had info about this all along. Doing "show crypto gdoi" on the secondary KS would show the GMs and that the GMs have the primary (unreachable) KS listed as Active. The secondary KS obviously was aware the the primary was down because it's role changed to primary and it showed the old primary as unreachable. Thanks, Jason Sent from my iPhone On Sep 2, 2012, at 4:21 PM, Eugene Pefti <[email protected]> wrote: > Good question. > How about reducing lifetime under ISAKMP policy to the minimum ? > > Eugene > > From: [email protected] > [mailto:[email protected]] On Behalf Of Jason Madsen > Sent: Sunday, September 02, 2012 1:18 PM > To: [email protected] > Subject: [OSL | CCIE_Security] Way to Tweak GETVPN GM-KS Registration Timers > > Hi group, > > Is there a way to tweak some sort of timers so that Group Members can detect > that the primary KS failed and update the Server Active list with COOP KS > without setting the Rekey value to something really frequent? Not sure that > it really matters, but I've found that when I fail the Primary KS, the GMs > don't update their Group Server List and Active Server address for a long > time unless I manually clear GDOI. However, after a little while I do see > that the GMs build ISAKMP SAs wtih the secondary KS instead of the Primary, > but the Server Active and Server List still won't update (see this info via > "show crypto gdoi" on GMs). > > Key Servers: > > 1.1.1.1 (primary) > 5.5.5.5 (secondary) > > After failing 1.1.1.1, I continue to see it listed as the Active Server on > all Group Members in "show crypto gdoi" output unless I clear GDOI, then > 5.5.5.5 finally becomes Active in the list. > > I'm guessing that without clearing GDOI, the Active address info won't update > until the next Rekey period? If so, is there a way to make the Active > address update faster? > > Thanks, > Jason
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
