Software Version 2.8.1

171

4.Further retransmission have a progressively larger delay. The gap between the second and third retransmissions is 16 seconds, the gap between the third and fourth retransmissions is 24 seconds, the next gap is 32 seconds, then 40, 48 and 56 seconds after each retransmission attempt.

5.After the eighth retransmission, the exchange times out.

Command Changes

The following table summarises the modified commands:

Command

Change

 

 

create isakmp policy

New msgbackoff parameter.

 

 

set isakmp policy

New msgbackoff parameter.

 

 

show isakmp exchange

New Message Back-offparameter in the output for a

 

specific exchange.

 

 

show isakmp policy

New Message Back-offparameter in the output for a

 

specific policy.

 

 

show isakmp sa

New Message Back-offparameter in the output for a

 

specific Security Association (SA).

 

 

Retrying ISAKMP Phase 1 and 2 Negotiations

This Software Version allows ISAKMP to retry phase 1 and phase 2 negotiations with an ISAKMP peer. Previously the router or switch would only attempt an ISAKMP negotiation once.

You can now set an ISAKMP policy to retry failed ISAKMP exchanges until either the connection is established, or the retry limit is reached. To specify the retry limit for a policy, use the new retryikeattempts parameter in the commands:

create isakmp policy=name peer={ipv4addipv6addany} [retryikeattempts={0..16continuous}] [other parameters]

set isakmp policy=name peer={ipv4addipv6addany} [retryikeattempts={0..16continuous}] [other parameters]

The retryikeattempts parameter is only valid when a specific peer IP address is configured in both the ISAKMP and IPsec policies. This feature is designed for permanent VPN connections. By default, retryikeattempts is set at 0, and negotiations are not retried.

ISAKMP retryikeattempts is intended to help re-establish ISAKMP exchanges when network problems or key exchange errors occur. Specifically, ISAKMP reattempts exchanges when:

the router or switch rejects SA proposals sent by the peer

authentication fails during phase 1 or phase 2

the exchange times out during phase 1 or phase 2

the peer sends a Delete SA notification message for the most recent SA

Software Version 2.8.1 C613-10477-00 REV B

Page 171
Image 171
Allied Telesis AT-8700XL, RAPIER I, X900-48FE, AT-8900, AT-9900, AT-8600, AT-9800 Retrying Isakmp Phase 1 and 2 Negotiations