The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
The GETVPN Resiliency - GM Error Detection feature detects erroneous packets in the data plane for each Group Domain of Interpretation (GDOI) group such as invalid stateful packet inspections (SPIs) or Time-Based Anti-Replay (TBAR) errors. These errors are tracked, and the outer source IP address of the packet is recorded.
Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.
Information About GETVPN Resiliency - GM Error Detection
When a failure is detected by the GETVPN Resiliency - GM Error Detection feature, a syslog message is generated to show the source IP address of the erroneous packet:
*Feb 10 21:01:56.043: %GDOI-4-TIMEBASED_REPLAY_FAILED: An anti replay check has failed in group GETVPN from sourceip-address 100.0.0.9. my_pseudotime is 600006.78 secs, peer_pseudotime is 500033.34 secs, replay_window is 100 (second) *Feb 10 21:01:56.043: %CRYPTO-4-PKT_REPLAY_ERR: decrypt: replay check failed connection id=29, sequence number=11
When errors occur, the GM reregisters to the next available key server (KS) to retrieve the latest policy and keys and maintains all previously downloaded group policies and keys until the registration is complete.
For instance, when a cooperative key server (COOP KS) split occurs, each promoted KS generates its own Key Encryption Key (KEK) and Traffic Encryption Key (TEK). When a GM receives invalid SPI packets that it cannot decrypt, a recovery registration to the next key server (KS) on its list is performed. This recovery registration is repeated for each invalid stateful packet inspection (SPI) packet or TBAR error in each client recovery interval to the next KS on the list. When all the KSs in the list are recovered and no longer contain the invalid SPI, that SPI is marked as a false positive and no more recovery registrations are performed. The KSs will always do the recovery registration for TBAR errors. However, once the GM recovers to all the KSs in the list because of an invalid SPI and none of the KSs has that SPI, it will mark that SPI as a false positive and will not do more recovery registrations due to that SPI.
A syslog message is generated to notify you that this GM recovery reregistration feature is triggered. For instance, if you configure the GM to monitor for control-plane errors every 300 seconds, when the recovery registration occurs the following syslog is generated:
*Feb 23 19:06:28.600: %GDOI-5-GM_RECOVERY_REGISTER: received invalid GDOI packets; register to KS to refresh policy, keys, and PST.
How to Configure GETVPN Resiliency - GM Error Detection
1.
crypto
gdoi
group
group-name
2.
identity
number number
3.
server
address
ipv4 address
4.
client
recovery-check
interval interval
5.
exit
Configuration Examples for GETVPN Resiliency - GM Error Detection
The following example shows how to enable the group member (GM) to monitor for control-plane errors every 300 seconds.
crypto gdoi group GETVPN identity number 1111 server address ipv4 1.0.0.2 client recovery-check interval 300
Related Topic |
Document Title |
---|---|
Cisco IOS commands |
|
Cisco IOS security commands |
Cisco IOS Security Command References |
Basic deployment guidelines for enabling GET VPN in an enterprise network |
Cisco IOS GET VPN Solutions Deployment Guide |
Designing and implementing a GET VPN network |
Group Encrypted Transport VPN (GETVPN) Design and Implementation Guide |
Standard/RFC |
Title |
---|---|
RFC 6407 |
The Group Domain of Interpretation |
Description |
Link |
---|---|
The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password. |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.Feature Name |
Releases |
Feature Information |
---|---|---|
GETVPN Resiliency - GM Error Detection |
Cisco IOS XE Release 3.10S |
Detects erroneous packets in the data plane for each GDOI group. The following command was introduced: client recovery-check interval. |