Aaa Server Group Selection; Fap Id-Based Duplicate Session Detection; Tunnel Cleanup On Fap Reboot; Child Sa Rekey Support - Cisco ASR 5000 Series Administration Manual

Femto Network Gateway Overview

AAA Server Group Selection

This feature provides a maximum of 64 AAA groups on the ASR 5000. This could be spread across multiple contexts or
all groups can be configured within a single context. A maximum of 320 RADIUS servers is allowed on the chassis,
unless the aaa-large-configuration command is issued, and this number becomes a maximum of 800 AAA
groups and 1600 RADIUS servers allowed to be configured per chassis.

FAP ID-based Duplicate Session Detection

When this feature is enabled and a FAP sets up a new session, the FNG automatically checks for any remnants of
abandoned calls, and if found, clears them. Clearing the old session and establishing the new session in parallel
optimizes FNG processing functions.
With every new session setup, the FNG verifies whether there are any old sessions that are bound to the Femtocell
Access Point Identifiers (FAP IDs). For example, when a FAP reboots, it may initiate a new session with the FNG.
After authentication, if the FNG detects an old session with the same FAP ID, the FNG clears the old IPSec tunnel and
establishes a new IPSec tunnel with the FAP. This feature is designed with the assumption that not more than one call
with duplicate FAP IDs is in the setup stage at any one time.
You enable FAP ID-based duplicate session detection in the FNG Service Configuration Mode of the system's CLI.
This feature should be enabled in the boot-time configuration before any calls are established.

Tunnel Cleanup on FAP Reboot

The FNG supports initial contact handling in IKE_AUTH messages as per RFC 4306 and cleans up the original tunnel if
a FAP initiates a new tunnel after a reboot. The CLI command for duplicate session detection is not needed to enable
this detection. Initial contact notification asserts that this IKE_SA is the only IKE_SA currently active between the
authenticated identities. It may be sent when an IKE_SA is established after a crash, and the recipient may use this
information to delete any other IKE_SAs it has for the same authenticated identity without waiting for a timeout.

Child SA Rekey Support

Rekeying of an IKEv2 Child Security Association (SA) occurs for an already established Child SA whose lifetime
(either time-based or data-based) is about to exceed a maximum limit. The FNG initiates rekeying to replace the existing
Child SA. During rekeying, two Child SAs exist momentarily (500ms or less) to ensure that transient packets from the
original Child SA are processed by the FNG and not dropped.
FNG-initiated Child SA rekeying is disabled by default, and rekey requests are ignored. You can enable this feature in
the Crypto Configuration Payload Mode of the system's CLI.
OL-24872-01
Cisco ASR 5000 Series Femto Network Gateway Administration Guide ▄
Features and Functionality ▀
21