07-05-2012 04:37 AM
Hi Experts,
Given a hub to spoke connection, if i clear the crypto sessions on the spoke and the spoke thereafter sends an SA initialization request to the hub, would the hub remove its existing SA with the spoke and renew its SA?
07-05-2012 05:00 AM
To paint a fuller picture.
Rule of thumb, when clearing SAs you spoke router should send appropriate delete notification towards the hub and hub should remove said SAs.
Also if detele notifications were not sent or received, DPDs should kick in on the hub side and clear sessions that are dead (that's one of the reasons it's best practice for them to be enabled)
There is also indeed a possibility to reconnect with same proxy IDs ...
07-05-2012 05:31 AM
Thanks for the reply Marcin.
We have an issue with a bug on the hub where it is prematurely clearing the SAs given its DPD setting. We will be disabling DPD on the hub temporarily till the IOS is upgraded. My concern is, should the spoke site loses its connection to the hub, since the spoke site has DPD, it will clear its AS. But once the link between the spoke and hub comes back up and the spoke sends an initialization request to the hub, will the hub clear its SA and renew its SA with the spoke.
I recall losing internet connection and clearing the cryp session on another setup (no DPD between spokes), and when the internet connection came back up, both spokes renewed its SA but I just wanted to get a second opinion.
07-05-2012 05:41 AM
Mark,
Maybe it's just a question of tweaking DPD settings to be less aggressive, not to delete anything on short flap? :-)
I'd be best to see debugs on any problem like this.
debug cry isa
debug cry kmi
(for reference)
M.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: