Hello Kings, Yep, That's exactly my point. The reason you are not seeing retransmissions of the rekey after the retransmission timeout expires in case of unicast rekey mode, is because, the first rekey is getting ACKed by the GM and the KS is now happy.
In mulitcast the KS has no way of verifying if the GM received the keys, so it will retransmit the rekeys X number of times , irrespective of whether the GM received the rekeys or not. But in unicast, if the GM is up and running, the KS sends the first rekey message and immediately receives the ACK. So it knows that the GM has received the rekey and it aborts the retransmit process. It should only then send the next rekey : 1) either when the rekey re-transmit is trigerred ( ex : IPSec policy change, Proxy ACL change ) (or) 2) when the rekey timeout expires. Cheers, TacACK
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
