Gents, The GM has no option to monitor KS. This is not necessary. If we have two or more KSes, the GM will reregister to the first active KS on the list. DPD is not supported between KS and GM but it is mandatory to run it between COOP KSes. Changing the IPSec SA lifetome to the low value is not recommended. The recommended IPSec SA lifetime is 7200 seconds. However, changing ISAKMP SA is recommended to 120 seconds to not maintain that info on GMs.
Note that, even though you set up IPSec lifetime to let say 24 hours, the active KS will send out the Rekey message(s) every 2 hours to update the pseudo-time on GMs. So, your GM will not-be-updated by less than 2h max anyway Regards, Piotr From: Jason Madsen Sent: Sunday, September 02, 2012 10:17 PM To: [email protected] Subject: [OSL | CCIE_Security] Way to Tweak GETVPN GM-KS Registration Timers Hi group, Is there a way to tweak some sort of timers so that Group Members can detect that the primary KS failed and update the Server Active list with COOP KS without setting the Rekey value to something really frequent? Not sure that it really matters, but I've found that when I fail the Primary KS, the GMs don't update their Group Server List and Active Server address for a long time unless I manually clear GDOI. However, after a little while I do see that the GMs build ISAKMP SAs wtih the secondary KS instead of the Primary, but the Server Active and Server List still won't update (see this info via "show crypto gdoi" on GMs). Key Servers: 1.1.1.1 (primary) 5.5.5.5 (secondary) After failing 1.1.1.1, I continue to see it listed as the Active Server on all Group Members in "show crypto gdoi" output unless I clear GDOI, then 5.5.5.5 finally becomes Active in the list. I'm guessing that without clearing GDOI, the Active address info won't update until the next Rekey period? If so, is there a way to make the Active address update faster? Thanks, Jason -------------------------------------------------------------------------------- _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
<<wlEmoticon-smile[1].png>>
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
