Retrying Isakmp Phase 1 And 2 Negotiations - Allied Telesis AT-8600 Release Note

Version 2.8.1

Hide thumbs Also See for AT-8600:

Installation and safety manual (38 pages)

Hardware reference manual (30 pages)

How to use manual (26 pages)

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

Table of Contents

Software Version 2.8.1

C613-10477-00 REV B

Further retransmission have a progressively larger delay. The gap between

the second and third retransmissions is 16 seconds, the gap between the

third and fourth retransmissions is 24 seconds, the next gap is 32 seconds,

then 40, 48 and 56 seconds after each retransmission attempt.

After the eighth retransmission, the exchange times out.

Command Changes

The following table summarises the modified commands:

Command

create isakmp policy

set isakmp policy

show isakmp exchange

show isakmp policy

show isakmp sa

Retrying ISAKMP Phase 1 and 2 Negotiations

This Software Version allows ISAKMP to retry phase 1 and phase 2

negotiations with an ISAKMP peer. Previously the router or switch would only

attempt an ISAKMP negotiation once.

You can now set an ISAKMP policy to retry failed ISAKMP exchanges until

either the connection is established, or the retry limit is reached. To specify the

retry limit for a policy, use the new retryikeattempts parameter in the

commands:

create isakmp policy=name peer={ipv4add|ipv6add|any}

[retryikeattempts={0..16|continuous}] [other parameters]

set isakmp policy=name peer={ipv4add|ipv6add|any}

[retryikeattempts={0..16|continuous}] [other parameters]

The retryikeattempts parameter is only valid when a specific peer IP address is

configured in both the ISAKMP and IPsec policies. This feature is designed for

permanent VPN connections. By default, retryikeattempts is set at 0, and

negotiations are not retried.

ISAKMP retryikeattempts is intended to help re-establish ISAKMP exchanges

when network problems or key exchange errors occur. Specifically, ISAKMP

reattempts exchanges when:

■

the router or switch rejects SA proposals sent by the peer

■

authentication fails during phase 1 or phase 2

■

the exchange times out during phase 1 or phase 2

■

the peer sends a Delete SA notification message for the most recent SA

Change

New msgbackoff parameter.

New Message Back-off parameter in the output for a

specific exchange.

New Message Back-off parameter in the output for a

specific policy.

New Message Back-off parameter in the output for a

specific Security Association (SA).

171

Table of Contents

Show Quick Links

Hide quick links:

Chapters

Table of Contents

Troubleshooting

This manual is also suitable for:

At-8800 At-9800 At-9900 At-8700xl At-8900 X900-48fe ... Show all

Retrying Isakmp Phase 1 And 2 Negotiations - Allied Telesis AT-8600 Release Note

Retrying ISAKMP Phase 1 and 2 Negotiations

Hide quick links:

Chapters

Troubleshooting

Related Manuals for Allied Telesis AT-8600

Related Content for Allied Telesis AT-8600

This manual is also suitable for:

Table of Contents