GETVPN with COOP and TBAR

ASA1:

ASA Version 8.0(2)

interface Ethernet0/0
  nameif INSIDE
  security-level 100
  ip address 1.1.1.10 255.255.255.0 standby 1.1.1.11
!
interface Ethernet0/1
  nameif OUTSIDE
  security-level 0
  ip address 3.3.3.10 255.255.255.0 standby 3.3.3.11
!
interface Ethernet0/2
  description LAN/STATE Failover Interface
!

access-list OUT_IN extended permit udp host 3.3.3.1 host 1.1.1.1 eq 848   // for allowing registration via ASA through GDOI process from GM1 to KS1
access-list OUT_IN extended permit udp host 3.3.3.1 host 1.1.1.2 eq 848 // for allowing registration via ASA through GDOI process from GM1 to KS2
access-list OUT_IN extended permit udp host 3.3.3.2 host 1.1.1.2 eq 848 // for allowing registration via ASA through GDOI process from GM2 to KS2
access-list OUT_IN extended permit udp host 3.3.3.2 host 1.1.1.1 eq 848 // for allowing registration via ASA through GDOI process from GM2 to KS1

failover lan unit primary   // for making ASA2 as secondary (failover lan unit secondary)
failover lan interface FOVER Ethernet0/2
failover link FOVER Ethernet0/2
failover interface ip FOVER 7.7.100.100 255.255.255.0 standby 7.7.100.101
failover

access-group OUT_IN in interface OUTSIDE

fixup protocol icmp // for inspecting ICMP traffic via ASA

ASA1 Screenshot

KS1:

crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
crypto isakmp key cisco address 3.3.3.1 // isakmp sa between KS1 and GM1
crypto isakmp key cisco address 3.3.3.2 // isakmp sa between KS1 and GM2, required when KS2 fails
crypto isakmp key cisco address 1.1.1.2 // isakmp sa between KS1 and KS2 for announcement message
!
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
!
crypto ipsec profile GDOI
  set transform-set TRANS
!
crypto gdoi group GETVPN
  identity number 123 //should be same
  server local
   rekey retransmit 10 number 2 // default
   rekey authentication mypubkey rsa KEK
   rekey transport unicast // multicast by default
   sa ipsec 1
     profile GDOI
     match address ipv4 101
     replay time window-size 5 //TBAR (by default counter based i.e sequence number)
   address ipv4 1.1.1.1
   redundancy // COOP is enabled
     local priority 100 // should be more than the secondary KS
     peer address ipv4 1.1.1.2 // address of KS2

interface FastEthernet0/0
  ip address 1.1.1.1 255.255.255.0

ip route 3.3.3.0 255.255.255.0 1.1.1.10

access-list 101 permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255 // ACL that will be downloaded on GM's (Intresting traffic)

KS2:

crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
crypto isakmp key cisco address 3.3.3.1
crypto isakmp key cisco address 3.3.3.2
crypto isakmp key cisco address 1.1.1.1
!
!
crypto ipsec transform-set TRANS esp-3des esp-md5-hmac
!
crypto ipsec profile GDOI
  set transform-set TRANS
!
crypto gdoi group GETVPN
  identity number 123
  server local
   rekey retransmit 10 number 2
   rekey authentication mypubkey rsa KEK
   rekey transport unicast
   sa ipsec 1
     profile GDOI
     match address ipv4 101
     replay time window-size 5
   address ipv4 1.1.1.2
   redundancy
     local priority 50
     peer address ipv4 1.1.1.1

interface FastEthernet0/0
  ip address 1.1.1.2 255.255.255.0
ip route 3.3.3.0 255.255.255.0 1.1.1.10
!
access-list 101 permit ip 10.1.0.0 0.0.255.255 10.1.0.0 0.0.255.255

After config of KS1 and KS2 following can be seen:
Sh cry gdoi ks coop
Sh cry isa sa
GM1:

crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
crypto isakmp key cisco address 1.1.1.1
crypto isakmp key cisco address 1.1.1.2
!
crypto gdoi group GET
  identity number 123
  server address ipv4 1.1.1.1 //primary KS

  server address ipv4 1.1.1.2 //secondary KS
!
crypto map CMAP 10 gdoi
  set group GET
!
interface Loopback0
  ip address 10.1.3.1 255.255.255.255
!
interface FastEthernet0/0
  ip address 3.3.3.1 255.255.255.0
  crypto map CMAP
ip route 1.1.1.0 255.255.255.0 3.3.3.10
ip route 10.1.4.1 255.255.255.255 3.3.3.2

NOTE : GM1 will first try to register to KS1, if KS1 is not reachable it will try to register to KS2

After registration following mess appears:
GM2:

crypto isakmp policy 10
  encr 3des
  hash md5
  authentication pre-share
  group 2
crypto isakmp key cisco address 1.1.1.1
crypto isakmp key cisco address 1.1.1.2
!
crypto gdoi group GET
  identity number 123
  server address ipv4 1.1.1.2 // GM2 tries to register wiht KS according to the order the severs are defined
  server address ipv4 1.1.1.1
!
crypto map CMAP 10 gdoi
  set group GET
interface Loopback0
  ip address 10.1.4.1 255.255.255.255
!
interface FastEthernet0/0
  ip address 3.3.3.2 255.255.255.0
  crypto map CMAP
ip route 1.1.1.0 255.255.255.0 3.3.3.10
ip route 10.1.3.1 255.255.255.255 3.3.3.1

After successful registration:
Sh cry gdoi