Mohammed,
PKI high availability is not available until 15.0(1)M according to the 12.4T
documentation but in looking in the 15 mainline documentation I am unable to
find documentation showing the configuration.
You could use subordinate CA's and put the CDP-URL using a VIP in Server
Load Balancing and load balance CRL requests in the event one of them crash.
This should account for a single point of failure.
Regards,
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130
-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of
mohammed shoeb ahmed
Sent: Saturday, January 09, 2010 10:47 AM
To: Cisco certification
Subject: GET VPN Redundat CA
Hi Group,
I am testing GET vpn with redundant KS, with single CA. My primary KS is
also CA for the GET VPN. I am thinking if my primary KS down the CA will
also be down if any certificate expires while the CA is down the the
secondary KS will be of no use because client will not be able to
authenticate through the certificates. So the best practice would be having
redundant CA as well.
I didn't see any working example configuration of redundant CA in GET VPN
literature. I would appreciate if someone provide any example configuration
of the redundant CA our point to any reference documents.
-- Best Regards, Mohammed Shoeb Ahmed Sr. Consultant, Blogs and organic groups at http://www.ccie.netReceived on Sat Jan 09 2010 - 20:12:16 ART
This archive was generated by hypermail 2.2.0 : Thu Feb 04 2010 - 20:28:41 ART