The GM members can only detect the failures of KS during registration and re-registrations when the KS has not sent the rekey. So it all depends on the rekey life time and IPSec lifetime.
With regards Kings CCNA,CCSP,CCNP,CCIP,CCIE 35914 (Security) On Mon, Sep 3, 2012 at 1:47 AM, Jason Madsen <[email protected]> wrote: > Hi group, > > Is there a way to tweak some sort of timers so that Group Members can > detect that the primary KS failed and update the Server Active list with > COOP KS without setting the Rekey value to something really frequent? Not > sure that it really matters, but I've found that when I fail the Primary > KS, the GMs don't update their Group Server List and Active Server address > for a long time unless I manually clear GDOI. However, after a little > while I do see that the GMs build ISAKMP SAs wtih the secondary KS instead > of the Primary, but the Server Active and Server List still won't update > (see this info via "show crypto gdoi" on GMs). > > Key Servers: > > 1.1.1.1 (primary) > 5.5.5.5 (secondary) > > After failing 1.1.1.1, I continue to see it listed as the Active Server on > all Group Members in "show crypto gdoi" output unless I clear GDOI, then > 5.5.5.5 finally becomes Active in the list. > > I'm guessing that without clearing GDOI, the Active address info won't > update until the next Rekey period? If so, is there a way to make the > Active address update faster? > > Thanks, > Jason > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
