Thanks Tyson. The retransmits happen only, if the ack is not received by KS and rekys are retransmitted for three time.
Does that mean "rekey retransmit" is not relevant to unicast rekeying. Yusuf Practice labs has asked to configure retransmits with unicast rekeys but I never see the retransmits happening as per "rekey retransmit". Even if the ACK is not sent by the GM to KS, rekys are retransmitted only for three time. With regards Kings On Fri, Nov 19, 2010 at 3:34 AM, Tyson Scott <[email protected]> wrote: > Kingsley, > > > > Here is the answer to your question. unicast doesn't retransmit because > an acknowledgement is received. > > > > If the rekey mechanism is multicast, there is no efficient feedback > mechanism by which receivers can indicate that they did not receive a rekey > message, so retransmission seeks to bring all receivers up to date. If the > rekey mechanism is unicast, the receivers will send an acknowledgment > message > > > > Regards, > > > > Tyson Scott - CCIE #13513 R&S, Security, and SP > > Managing Partner / Sr. Instructor - IPexpert, Inc. > > Mailto: [email protected] > > Telephone: +1.810.326.1444, ext. 208 > > Live Assistance, Please visit: www.ipexpert.com/chat > > eFax: +1.810.454.0130 > > > > IPexpert is a premier provider of Self-Study Workbooks, Video on Demand, > Audio Tools, Online Hardware Rental and Classroom Training for the Cisco > CCIE (R&S, Voice, Security & Service Provider) certification(s) with > training locations throughout the United States, Europe, South Asia and > Australia. Be sure to visit our online communities at > www.ipexpert.com/communities and our public website at www.ipexpert.com > > > > *From:* Kingsley Charles [mailto:[email protected]] > *Sent:* Thursday, November 11, 2010 4:28 AM > *To:* Vybhav Ramachandran > *Cc:* Tyson Scott; [email protected] > *Subject:* Re: [OSL | CCIE_Security] Retransmission fo GETVPN unicast > rekeys > > > > Tacack, is the retransmissions sent after *rekey lifetime* or *rekey > retransmit* timeout? > > > > With regards > > Kings > > On Thu, Nov 11, 2010 at 1:14 PM, Vybhav Ramachandran <[email protected]> > wrote: > > Hello Kings, > > > > Well, i am observing something different. > > > > After i configure rekey retransmit 10 number 6 (*#rekey retransmit 10 num > 6*), and i shut down the GM's interface ( connecting to the KS ) after it > finishes registering, the rekeys are being retransmitted *6* times by the > KS. > > > > So the total number of rekeys sent are 1 + 6 = 7. > > > > I verified this using the *#debug crypto gdoi* *event *to verify this on > the KS. > > > > Note :Anytime During the 7 rekey transmissions , if the KS comes up anytime > in between, it gladly accepts the next rekey and responds with and ACK . But > after the 7the attempt, if the KS comes up , it has to re-register( > according to the doc-cd) before it can receive any more rekeys. > > > > The IOS version i'm using is 12.4(15)T10 and i'm using GNS3 to test out my > topology. > > > > Cheers, > TacACK > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
