Table of Contents
Advertisement
In either case, the interface becomes available (operational state up) when the
rekeying operation is completed successfully. If the rekeying operation fails for
reasons such as an unreachable remote end or a policy mismatch, the router waits
a certain number of minutes and then tries again.
The wait time increases after each unsuccessful rekeying attempt, and follows a
progressive pattern. This pattern gradually increases in intervals, starting at 1 minute
and reaching a maximum interval of 60 minutes. The 60-minute interval repeats
indefinitely. When the rekeying operation is completed successfully, the pattern
starts again.
If no ISM is available to which the router can reassign the interface, the interface
remains in the not present state until an ISM becomes available. As a result, the
distribution of dedicated ISM interfaces over the modules might become uneven.
Tunnel-Service Interface Considerations
To configure a tunnel-server port, you assign the maximum number of tunnel-service
interfaces to run on the specified tunnel-server port. This process is referred to as
provisioning. Conversely, the process of reducing the maximum number of
tunnel-service interfaces on a tunnel-server port to zero is referred to as unprovisioning
the port.
This section describes the considerations for provisioning and unprovisioning
tunnel-service interfaces on dedicated and shared tunnel-server ports.
For instructions on how to provision and unprovision tunnel-service interfaces, see
"Configuring Tunnel-Server Ports and Tunnel-Service Interfaces" on page 225 .
Provisioning Tunnel-Service Interfaces
By default, dedicated tunnel-server ports are configured to have the maximum number
of tunnel-service interfaces that the dedicated tunnel-server module supports. You
can reduce the maximum number of interfaces or completely unprovision the port
by issuing the max-interfaces command.
By default, shared tunnel-server ports are configured to have no tunnel-service
interfaces. To provision tunnel-service interfaces on shared tunnel-server ports, you
must provision the port by assigning a nonzero maximum number of tunnel-service
interfaces to run on the port by issuing the max-interfaces command.
ISM. If the reassignment is successful, the router immediately initiates an IPSec
negotiation, also known as rekeying the interface.
If the interface's local IP address is greater than the remote IP address, the router
attempts to reassign the interface to an available ISM. If the reassignment is
successful, the router waits 3 minutes before initiating an IPSec negotiation.
Chapter 6: Managing Tunnel-Service and
IPSec-Service Interfaces
Tunnel-Service Interface Considerations
223
Advertisement
Table of Contents
