Hi Tacack
With Unicast rekey as per the CCIE docs (please refer to the snippet below), if the GM doesn't send an acknowledgment then the KS sends three consecutive rekeys and if, the GM still doesn't responds it will be removed from the list. After which the GM should re-register. I see the three consecutive rekeys after shutting down the GM. But the KS never sends retransmissions of the key as done in multicast. *Snippet from http://www.cisco.com/en/US/docs/ios/sec_secure_connectivity/configuration/guide/sec_encrypt_trns_vpn_ps6441_TSD_Products_Configuration_Guide_Chapter.html * Unicast Rekeying and SAs In a large unicast group, to alleviate latency issues, the key server generates rekey messages for only a small number of group members at a time. The key server is ensured that all group members receive the same rekey messages for the new SA before the expiration of the old SA. Also, in a unicast group, after receiving the rekey message from the key server, a group member sends an encrypted acknowledge (ACK) message to the key server using the keys that were received as part of the rekey message. When the key server receives this ACK message, it notes this receipt in its associated group table, which accomplishes the following: •The key server keeps a current list of active group members. •The key server sends rekey messages only to active members. In addition, in a unicast group, the key server removes the group member from its active list and stops sending the rekey messages to that particular group member if the key server does not receive an ACK message for three consecutive rekeys. If no ACK message is received for three consecutive rekeys, the group member has to fully reregister with the key server after its current SA expires if the group member is still interested in receiving the rekey messages. The ejection of a nonresponsive group member is accomplished only when the key server is operating in the unicast rekey mode. The key server does not eject group members in the multicast rekey mode because group members cannot send ACK messages in that mode. As in multicast rekeying, if retransmission is configured, each rekey will be retransmitted the configured number of times. With regards Kings On Thu, Nov 11, 2010 at 11:04 AM, Vybhav Ramachandran <[email protected]>wrote: > Hello Kings, > > Just a theory here. Suppose you have configure the KS to send 3 rekey > retransmits. Suppose after sending the first rekey, in unicast mode, the KS > receives an ACK from the GM. After this, the retransmits should not be sent. > Do you think this is happening in your case? Are you sure the rekey ACKs are > not being sent from the GM to the KS? > > Cheers, > TacACK >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
