Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
28-26
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Troubleshooting GET VPN Configurations
Normally, network address translation (NAT) is not used in the type of WAN environments where
GET VPN is deployed. However, if you use NAT, ensure that the security policy ACL has permit
statements for the translated addresses. Also, if you are using Network Address
Translation-Traversal (NAT-T), the GDOI protocol port changes to 4500.
A control plane replay protection mechanism was added to Cisco IOS Software releases
12.4(15)T10, 12.4(22)T3, 12.4(24)T2, 15.0(1)M, and 12.2(33)XNE. This mechanism is not
backward-compatible, so if any GET VPN group member in the network is running any of these (or
later) releases, you must also upgrade all key servers to one of these (or newer) releases. Otherwise,
network disruption might occur because of a failed rekey, which causes one of the following system
logging (syslog) messages to appear:
%GDOI-3-GDOI_REKEY_SEQ_FAILURE: Failed to process rekey seq # 2 in seq payload for
group get-group, last seq # 6
%GDOI-3-PSEUDO_TIME_TOO_OLD: Rekey received in group get-group is too old and
failed PST check: my_pst is 184 sec, peer_pst is 25 sec, allowable_skew is 10 sec
Tip For additional troubleshooting tips from the CLI configuration perspective, including information about
valuable show commands, see Cisco Group Encrypted Transport VPN on Cisco.com.
Related Topics
Understanding Group Encrypted Transport (GET) VPNs, page 28-2
Configuring GET VPN, page 28-12