Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

SA Renewal question

Hi Experts,

Given a hub to spoke connection, if i clear the crypto sessions on the spoke and the spoke thereafter sends an SA initialization request to the hub, would the hub remove its existing SA with the spoke and renew its SA?

3 REPLIES
Cisco Employee

SA Renewal question

To paint a fuller picture.

Rule of thumb, when clearing SAs you spoke router should send appropriate delete notification towards the hub and hub should remove said SAs.

Also if detele notifications were not sent or received, DPDs should kick in on the hub side and clear sessions that are dead (that's one of the reasons it's best practice for them to be enabled)

There is also indeed a possibility to reconnect with same proxy IDs ...

New Member

SA Renewal question

Thanks for the reply Marcin.

We have an issue with a bug on the hub where it is prematurely clearing the SAs given its DPD setting.  We will be disabling DPD on the hub temporarily till the IOS is upgraded.  My concern is, should the spoke site loses its connection to the hub, since the spoke site has DPD, it will clear its AS.  But once the link between the spoke and hub comes back up and the spoke sends an initialization request to the hub, will the hub clear its SA and renew its SA with the spoke. 

I recall losing internet connection and clearing the cryp session on another setup (no DPD between spokes), and when the internet connection came back up, both spokes renewed its SA but I just wanted to get a second opinion.

Cisco Employee

SA Renewal question

Mark,

Maybe it's just a question of tweaking DPD settings to be less aggressive, not to delete anything on short flap?  :-)

I'd be best to see debugs on any problem like this.

debug cry isa

debug cry kmi

(for reference)

M.

219
Views
0
Helpful
3
Replies
CreatePlease login to create content