Thursday, December 25, 2014

GET VPN - part eleven (multicast) - update

Update to GET VPN - part four (multicast) - http://myitmicroblog.blogspot.com/2014/12/get-vpn-part-four-multicast.html
On one of my GMs I found a problem. It was registered but I didn’t see any ‘rekeys received’:
 
R3#sh crypto gdoi gm rekey
Group GDOI-GROUP-GREEN
    No rekey info available


Group GDOI-GROUP-RED (Multicast)
    Number of Rekeys received (cumulative)       : 0
    Number of Rekeys received after registration : 0
    Multicast destination address                : 239.192.1.190


R3#

I saw following messages:
 
R3#
*Dec 20 06:06:04.404: %GDOI-4-GM_RE_REGISTER: The IPSec SA created for group GDOI-GROUP-RED may have expired/been cleared, or didn't go through. Re-register to KS.
R3#
*Dec 20 06:06:04.412: %CRYPTO-5-GM_REGSTER: Start registration to KS 3.3.3.2 for group GDOI-GROUP-RED using address 7.7.7.2
*Dec 20 06:06:05.000: %GDOI-5-SA_KEK_UPDATED: SA KEK was updated
*Dec 20 06:06:05.008: %GDOI-5-SA_TEK_UPDATED: SA TEK was updated
*Dec 20 06:06:05.136: %GDOI-5-GM_REGS_COMPL: Registration to KS 3.3.3.2 complete for group GDOI-GROUP-RED using address 7.7.7.2
*Dec 20 06:06:05.156: %GDOI-5-GM_INSTALL_POLICIES_SUCCESS: SUCCESS: Installation of Reg/Rekey policies from KS 3.3.3.2 for group GDOI-GROUP-RED & gm identity  7.7.7.2
R3#
R3#
R3#
R3#sh crypto gdoi gm rekey
Group GDOI-GROUP-GREEN
    No rekey info available

but the number was still zero:
 
Group GDOI-GROUP-RED (Multicast)
    Number of Rekeys received (cumulative)       : 0
    Number of Rekeys received after registration : 0
    Multicast destination address                : 239.192.1.190

I discovered one difference between GMs which worked fine and this one:
 
crypto isakmp key cisco address 0.0.0.0

This is weird because I have a VRF aware and ISAKMP uses keyring with a VRF MNG. Once I added this line to the configuration I saw the number started to increase:
 
R3#sh crypto gdoi gm rekey
Group GDOI-GROUP-GREEN
    No rekey info available


Group GDOI-GROUP-RED (Multicast)
    Number of Rekeys received (cumulative)       : 7
    Number of Rekeys received after registration : 7
    Multicast destination address                : 239.192.1.190


R3#

When I removed this line I notice it still worked. Just to remind: even you see your GM is registered it doesn’t mean the re-keying process is working fine. Maybe restart would solve the issue. I don’t know as I wasn’t able to recreate the issue once again. You should always check the re-keys value.
I also noticed that with 'ip pim sparse-mode’ on GMs interfaces I can’t see any rekeys. Once I removed them it started working fine.
GM configuration:
 
ip multicast-routing
ip igmp ssm-map enable

ip pim ssm range 1
access-list 1 permit 239.192.1.190

It can be also caused because I did these tests on GNS3, not real devices.

No comments:

Post a Comment