Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
440
Views
0
Helpful
3
Replies

SA Renewal question

mark.carpio
Level 1
Level 1

‎07-05-2012 04:37 AM

Hi Experts,

Given a hub to spoke connection, if i clear the crypto sessions on the spoke and the spoke thereafter sends an SA initialization request to the hub, would the hub remove its existing SA with the spoke and renew its SA?

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎07-05-2012 05:00 AM

To paint a fuller picture.

Rule of thumb, when clearing SAs you spoke router should send appropriate delete notification towards the hub and hub should remove said SAs.

Also if detele notifications were not sent or received, DPDs should kick in on the hub side and clear sessions that are dead (that's one of the reasons it's best practice for them to be enabled)

There is also indeed a possibility to reconnect with same proxy IDs ...

0 Helpful

mark.carpio
Level 1
Level 1
In response to Marcin Latosiewicz

‎07-05-2012 05:31 AM

Thanks for the reply Marcin.

We have an issue with a bug on the hub where it is prematurely clearing the SAs given its DPD setting.  We will be disabling DPD on the hub temporarily till the IOS is upgraded.  My concern is, should the spoke site loses its connection to the hub, since the spoke site has DPD, it will clear its AS.  But once the link between the spoke and hub comes back up and the spoke sends an initialization request to the hub, will the hub clear its SA and renew its SA with the spoke. 

I recall losing internet connection and clearing the cryp session on another setup (no DPD between spokes), and when the internet connection came back up, both spokes renewed its SA but I just wanted to get a second opinion.

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to mark.carpio

‎07-05-2012 05:41 AM

Mark,

Maybe it's just a question of tweaking DPD settings to be less aggressive, not to delete anything on short flap?  :-)

I'd be best to see debugs on any problem like this. 

debug cry isa 
debug cry kmi

(for reference)

M.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents