Allied Telesis AT-8700XL, RAPIER I, X900-48FE, AT-8900 Retrying Isakmp Phase 1 and 2 Negotiations

4.Further retransmission have a progressively larger delay. The gap between the second and third retransmissions is 16 seconds, the gap between the third and fourth retransmissions is 24 seconds, the next gap is 32 seconds, then 40, 48 and 56 seconds after each retransmission attempt.

5.After the eighth retransmission, the exchange times out.

Command Changes

The following table summarises the modified commands:

Retrying ISAKMP Phase 1 and 2 Negotiations

This Software Version allows ISAKMP to retry phase 1 and phase 2 negotiations with an ISAKMP peer. Previously the router or switch would only attempt an ISAKMP negotiation once.

You can now set an ISAKMP policy to retry failed ISAKMP exchanges until either the connection is established, or the retry limit is reached. To specify the retry limit for a policy, use the new retryikeattempts parameter in the commands:

create isakmp policy=name peer={ipv4addipv6addany} [retryikeattempts={0..16continuous}] [other parameters]

set isakmp policy=name peer={ipv4addipv6addany} [retryikeattempts={0..16continuous}] [other parameters]

The retryikeattempts parameter is only valid when a specific peer IP address is configured in both the ISAKMP and IPsec policies. This feature is designed for permanent VPN connections. By default, retryikeattempts is set at 0, and negotiations are not retried.

ISAKMP retryikeattempts is intended to help re-establish ISAKMP exchanges when network problems or key exchange errors occur. Specifically, ISAKMP reattempts exchanges when:

■the router or switch rejects SA proposals sent by the peer

■authentication fails during phase 1 or phase 2

■the exchange times out during phase 1 or phase 2

■the peer sends a Delete SA notification message for the most recent SA

Software Version 2.8.1 C613-10477-00 REV B