Tacack If the GM doesn't send an ACK then exactly three consecutive rekeys are sent for every rekey timeout. The retransmits can be configured from 1 to 10 times and is sent for every rekey.
You can try configuring the following, register the GM to the KS and then shutdown the GM. You will that only three rekeys are sent after the rekey timeout and then GM will be removed from the KS member list. 9 retransmits are not sent, if they ACK is not received as you said. rekey retransmit 10 number 9 With regards Kings On Thu, Nov 11, 2010 at 12:16 PM, Vybhav Ramachandran <[email protected]>wrote: > Hello Kings, > > Yep, That's exactly my point. The reason you are not seeing retransmissions > of the rekey after the retransmission timeout expires in case of unicast > rekey mode, is because, the first rekey is getting ACKed by the GM and the > KS is now happy. > > In mulitcast the KS has no way of verifying if the GM received the keys, so > it will retransmit the rekeys X number of times , irrespective of whether > the GM received the rekeys or not. > > But in unicast, if the GM is up and running, the KS sends the first rekey > message and immediately receives the ACK. So it knows that the GM has > received the rekey and it aborts the retransmit process. > > It should only then send the next rekey : > 1) either when the rekey re-transmit is trigerred ( ex : IPSec policy > change, Proxy ACL change ) > (or) > 2) when the rekey timeout expires. > > Cheers, > TacACK >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
