The issue (http://trac.tools.ietf.org/wg/ipsecme/trac/ticket/196) was fixed in -03.

This situation (multiple failovers) is mentioned in the third bullet of Sec. 5.1, with the newly-active member required to synchronize its state into other cluster members. It is noted that some race situations are still possible in such cases, resulting in a replay-like situation and the IKE SA being torn down.

Randomization of counter increment values is a possible remedy here. We believe this situation is rare - and implementation dependent - so this possibility is not mentioned in the text.
_______________________________________________
IPsec mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/ipsec

Reply via email to