GETVPN Key server Cisco 7200
Hi,
I am using Cisco 7200 NPG1 as Key server for GETVPN. I have almost 500 Spokes. How many concurrent IKE sessions could be supported by 7200 box ?
I have heard that simultenous session limit for IKE is 100 ?
regards
Prasad K
I have heard that simultenous session limit for IKE is 100 ?
This is true to software crypto.
You get best scaling factor on 7200 with VSA. 500 seems a decent number. Are you seeing any problems?
Similar Messages
-
Different hardware for GETVPN Key server
Hi,
Can I use different platforms for Key server and COOP key server ? I belive it is just IPSec or GDOI relation between the two and platform is not related. Can I have some guidelines or link from Cisco on this ? Please help
regards
PrasadHardware and software requirements:
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/product_data_sheet0900aecd80582067.html
For more information you can visit the below listed link
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6635/ps7180/deployment_guide_c07_554713.html
Regards,
Jatin -
Hi All,
Working on the getVPN requirement. need some help on the key server sizing guidelines. Kindly guide and forward any relevant document you have.
Thanking you in anticipation.
Regards,
BhaveshThank you Werner!!
I bumped that up as well and went with 2x extract size...just to be safe!
Chuck -
COA radius between radus server & CIsoc 7200 npeg2
Hi Guys ,
im trying to establish COA attribute between cisco 7200 npeg2 with & radius server but im not sucess with that !!!
i dont know if it is IOS limitation or cisco/radius config , here is my ios version is below , i just need help if my current IOS support COA radius attribute or not .
and if possible any helpfull commands needed fror COA for working !!
7200npeg2#sh version
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.4(24)T8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Sun 09-Sep-12 07:00 by prod_rel_team
ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, 7200 Software (C7200-KBOOT-M), Version 12.4(4)XD, RELEASE SOFTWARE (fc1)
Bras2 uptime is 9 weeks, 4 days, 8 hours, 0 minutes
System returned to ROM by power-on
System image file is "disk2:c7200p-adventerprisek9-mz.124-24.T8.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of memory.
Processor board ID 26790100
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
6 slot VXR midplane, Version 2.9
Last reset from power-on
PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb1 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
1 FastEthernet interface
3 Gigabit Ethernet interfaces
2045K bytes of NVRAM.
254464K bytes of ATA PCMCIA card at slot 2 (Sector size 512 bytes).
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
==================================================================Hi Guys ,
im trying to establish COA attribute between cisco 7200 npeg2 with & radius server but im not sucess with that !!!
i dont know if it is IOS limitation or cisco/radius config , here is my ios version is below , i just need help if my current IOS support COA radius attribute or not .
and if possible any helpfull commands needed fror COA for working !!
7200npeg2#sh version
Cisco IOS Software, 7200 Software (C7200P-ADVENTERPRISEK9-M), Version 12.4(24)T8, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2012 by Cisco Systems, Inc.
Compiled Sun 09-Sep-12 07:00 by prod_rel_team
ROM: System Bootstrap, Version 12.4(12.2r)T, RELEASE SOFTWARE (fc1)
BOOTLDR: Cisco IOS Software, 7200 Software (C7200-KBOOT-M), Version 12.4(4)XD, RELEASE SOFTWARE (fc1)
Bras2 uptime is 9 weeks, 4 days, 8 hours, 0 minutes
System returned to ROM by power-on
System image file is "disk2:c7200p-adventerprisek9-mz.124-24.T8.bin"
This product contains cryptographic features and is subject to United
States and local country laws governing import, export, transfer and
use. Delivery of Cisco cryptographic products does not imply
third-party authority to import, export, distribute or use encryption.
Importers, exporters, distributors and users are responsible for
compliance with U.S. and local country laws. By using this product you
agree to comply with applicable laws and regulations. If you are unable
to comply with U.S. and local laws, return this product immediately.
A summary of U.S. laws governing Cisco cryptographic products may be found at:
http://www.cisco.com/wwl/export/crypto/tool/stqrg.html
If you require further assistance please contact us by sending email to
[email protected].
Cisco 7206VXR (NPE-G2) processor (revision A) with 917504K/65536K bytes of memory.
Processor board ID 26790100
MPC7448 CPU at 1666Mhz, Implementation 0, Rev 2.2
6 slot VXR midplane, Version 2.9
Last reset from power-on
PCI bus mb1 (Slots 1, 3 and 5) has a capacity of 600 bandwidth points.
Current configuration on bus mb1 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
PCI bus mb2 (Slots 2, 4 and 6) has a capacity of 600 bandwidth points.
Current configuration on bus mb2 has a total of 0 bandwidth points.
This configuration is within the PCI bus capacity and is supported.
Please refer to the following document "Cisco 7200 Series Port Adaptor
Hardware Configuration Guidelines" on Cisco.com <http://www.cisco.com>
for c7200 bandwidth points oversubscription and usage guidelines.
1 FastEthernet interface
3 Gigabit Ethernet interfaces
2045K bytes of NVRAM.
254464K bytes of ATA PCMCIA card at slot 2 (Sector size 512 bytes).
65536K bytes of Flash internal SIMM (Sector size 512K).
Configuration register is 0x2102
================================================================== -
Does Oracle have a Public Key Server platform? If not, what would you suggest to use to make one?
I have looked into the follow platforms and I have some concerns about each:
http://pks.sourceforge.net/
https://bitbucket.org/skskeyserver/sks-keyserver/overview
Any thoughts or suggestions would be helpful.
Thanks!A self signed certificate is a certificate which Subject attribute equals Issuer attribute. You can use below script to find selfsigned certificates which is selfsigned and public key is less than 2048 bits.
Be aware that if you search in all possible certificate stores (including Trusted Root CA store) you will find a lot of self signed certificates. Please see my notes in powershell code.
#Find self-signed certificate which keysize less than 2048. Uncomment one of the lines below
#$myCerts = Get-Item Cert:\CurrentUser\My #search in Current User Store - Personal - this is the place to look in
#$myCerts = Get-Item Cert:\LocalMachine\My #search in Local Machine Store - Personal - this is the place to look in
#$myCerts = Get-Item Cert:\CurrentUser\* #search in Current User Store - this will bring a lot of cert list
#$myCerts = Get-Item Cert:\LocalMachine\* #search in Local Machine Store - this will bring a lot of cert list
$myCerts.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$myCertsList = Get-ChildItem $myCerts.PSPath
$myCertsList | where {$_.Subject -like $_.Issuer -and $_.PublicKey.Key.KeySize -lt 2048} | select * #self-signed and less then 2048
$myCerts.Close()
Did my post help you or make you laugh? Don't forget to click the Helpful vote :) If I answered your question please mark my post as an Answer. -
CA Server and GET VPN Key Server
Hi,
Can I have an IOS CA Server and a GET VPN Key Server working in the same ISR G2?
Thanks
EmanuelEmanuel,
No I would not necessarily call this a small scale deployment, although we do scale above 4000 GMs.
Please note that, at least as far as I am aware, there is no strict definition that a setup like this would not be supported for larger scale deployment. You may want to shoot your SE an email so they can discuss with business unit it they limit supportability of such setup somewhere.
Technically speaking, what you need to take into consideration:
- CPU utilization during registration (can be offloaded by using external CDP URL).
- Type of rekey.
- Amount of GM re-registrations. (i.e. stability of environment).
- KS COOP or not.
- KS platform of choice.
What you want to make sure is that PKI functions will not affect KS functions. (For example during multi spokes registering and performing CRL checks).
And make sure that KS is not a single point of failure for entire domain - that mean storing PKI data of the router.
M. -
How to Gatekeeper on cisco 7200
How can i enable my gatekeeper on cisco 7200 my current IOS is 12.1.(2)T i cannot enable my gatekeeper it seems to be working before.
hope you can help me.
thanksDoes rolling back to previous version help. If so you could search for any potential bugs in 12.1.(2)T or try loading the latest version.
My search on bug toolkit with "Gatekeeper" keyword on this release got me 240 bugs. I am not sure which one is yours. So better try with the latest version -
Multilink limitations application on Cisco 7200 Series
Hi,
Can someone please mention if Multilink can be supported on Cisco 7200 Series?
IOS version:
IOS 7200 Software (C7200-P-M), Version 12.3(16a), SOFTWARE (fc2)
cisco 7206VXR
Any comment will be appreciated.
Thank you.Hi -
Our s/w development group is in the process of implementing ipv6 support in our products, and would like to use our Cisco 2650XM running ITP s/w for ipv6 interoperability tests.
However, it appears that ipv6 is not supported in this s/w version:
ITP1#sh version
Cisco IOS Software, C2600 Software (C2600-ITPK9-M), Version 12.4(15)SW2, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Tue 23-Sep-08 19:48 by prod_rel_team
ROM: System Bootstrap, Version 12.2(7r) [cmong 7r], RELEASE SOFTWARE (fc1)
ITP1#config
Configuring from terminal, memory, or network [terminal]?
Enter configuration commands, one per line. End with CNTL/Z.
ITP1(config)#ipv6 ?
% Unrecognized command
My question is: Can I use this s/w version on the 2650XM in an ipv6 network? Do I need to upgrade the s/w?
Thanks,
Matt -
Hi,
I have a Cisco 7200 VXR chassis. What cards I have to buy to mount a VoIP Gateway, with SS7 E1 ports to trunk with the PSTN networks?
Best Regards.You can use Cisco MIX-enabled T1/E1 Port Adapter. For more information kindly refer the url's below,
http://www.cisco.com/en/US/tech/tk1077/technologies_configuration_example09186a00800afd65.shtml
http://www.cisco.com/en/US/products/hw/modules/ps2033/ps1952/index.html -
Cisco 7200 as managed cpe with mpls enabled
Is there any real network that is using managed CPE (CPE router managed by SP) with mpls enabled (MPLS-TE, VPN) etc.
Is anybody using cisco 7200 as a managed cpe router with mpls.
Thanks.
subodhwith PE router, Service provider handles so many CE routers (of customers).
Managed CPE router will be placed at the customer site and will handle only one customer.
Is there any company/customer that have so big network that they need cisco 7200 at there site and this CPE does MPLS-TE,MPLS-VPN.
could u pl. name some companies that are availing this king of services from service provider.
{as cisco 7200 is also capable of providing voip solution to customer}. -
Hi,
does anyone of you know if you can use a Cisco 7200 as a BRAS? We were told it is possible, but I am not able to find an IOS image with PPPoE support.
Any pointers are welcome.
TIA
NaNaAs far sa I know, you can get ISG
(http://www.cisco.com/en/US/products/ps6566/products_configuration_guide_book09186a008061ab53.html)
features on 7600 platform but only for IP sessions, not for PPP.
These functions should be available on on SIP-400. -
Hello All
I am trying to find in the docs
http://www.adobe.com/support/documentation/en/adobeaccess/
How to specify the url of our key server instance. If a policy specifies that a key server is required how does the player of protected content know the url of the key server?
HLS streaming makes the m3u8 manifest from the URL’s we provide
https://key-server-host:port/faxsks/tenant-name/key
How is this set in the packager? Or if you can tell us what DOC outlines this since we can’t seem to find it in any of them.
can anyone point me in the right direction.
THXHello,
How do you package your HLS content?
Are you using hlspackager? If so, you may want to use --faxskey-server-url=<URL> option.
Thanks,
-- Hiroshi -
GETVPN: Cisco 3925E as a Key Server for 1500 GMs
Hi,
In a MPLS-VPN scenario as a private network for a client, they want to encrypt all their data traffic. GETVPN is the chosen encryption solution. They have 1500 branch offices, and 2 CPDs. We plan to use two Cisco 3925E as Key Servers, one in each CPD.
Is the Cisco 3925E enough to support 1500 Branch Offices? If not, what plattaform do you recommend?
Cisco Deployment and design guide is from 2010 and new platform Cisco 3900 is not mentioned.
Thanks in advanceHi Jorge,
The maximum number of GMs tested on a 3925E is 4000. you'll find the details of the scalability tests here:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6525/ps9370/ps7180/GETVPN_DIG_version_1_0_External.pdf
Hope that helps,
Atri. -
Problem with key Server in GETVPN
I had a problem with my key servers in GETVPN, I could not understand well so far. My two key servers had problems with being a key issue of inspiration and had other physical problems. I have configured the OPEN and CLOSED in my understanding communication between GM should continue with the same problem with key servers, but went more than 24 hours and ended up falling all GETVPN network. My question is as follows: after the fall of the keys, primary and secondary servers in more than 24 hours while the TEK keys no longer work and the whole network goes down and it even?
Eduardo Severo
[email protected]Those fields should be on top of the view's field list. Also, the join conditions must be complete, e.g. also include MANDT, as far as I know.
The system defines all view fields as key fields, if it cannot otherwise determine a unique key based on the join conditions and the primary keys of the joined tables.
If that's not it, I have no further idea.
Thomas -
A "Web Reputation Filters" key was downloadedfrom the Cisco Ironport key server.....
Recently we received an alert from our Ironport S370 appliance indicating that a new Web Reputation Filters key had been downloaded and placed into the pebnding area: EULA acceptance required. This key shows a 256 days validity however our current key still has 250 days left on it..... Why would a new key be downloaded when the old one still has so much time left on it? My undestanding is that a key is just used to enable a feature but being that the feature is already enabled and has several months of validity why would a new key be needed? I find it a little strange.
ThanksWhen Web Reputation Filters (WBRS) expired, all web sites that accessed using WSA as Web proxy will not get any reputation score and the filtering in WSA policies based on reputation score will not function therefore if for example accessing web site that has bad reputation score and should be blocked automatically by WSA when WBRS in functioning will not happened and all sites will be accessible without reputation score filtering (expose threats and strongly recommend to validate the feature keys).
Maybe you are looking for
-
Can't connect via Airport Utility
Just noticed that my shared USB drive wasn't connecting so I opened Airport Utility and got this message when trying to manually access my Airport Extreme: Make sure your AirPort wireless device is plugged in and in range of your computer or connecte
-
Input for CD Linear Simulation.vi in a Simulation Loop
Hi I'm new to LabView and I was trying to implement a real time estimator for a linear system, so a steady state gain is acceptable (estimator doesn't need to be adaptive). It will be implemented in real time target (cDAQ). The estimator will get the
-
From research on different communities, I have read that Adobe flash player will cause my macbook to overheat, and a bunch of other rumors. is there any proof or truth that Adobe flash player is bad for my macbook pro? I installed it a couple hours a
-
How to create a selection screen with two tab strips
Hi Experts, I need to craete a selection screen '100' with two tab strips, in the 1st tab strip i need create some select options as subscreen and in other tabstrip i need to call the subscren '4000' of the program 'SAPLCTMS' . i need to call this sc
-
Dear Gurus, When Im trying to create collective invoice using vfo4 for few delivery related invoices with same payer, same billing date and same materials,same terms of payments its is creating individual invoices with collective invoice option in