Allied Telesis AT-9900 用户手册
Software Version 2.8.1
171
Software Version 2.8.1
C613-10477-00 REV B
C613-10477-00 REV B
4.
Further retransmission have a progressively larger delay. The gap between
the second and third retransmissions is 16 seconds, the gap between the
third and fourth retransmissions is 24 seconds, the next gap is 32 seconds,
then 40, 48 and 56 seconds after each retransmission attempt.
the second and third retransmissions is 16 seconds, the gap between the
third and fourth retransmissions is 24 seconds, the next gap is 32 seconds,
then 40, 48 and 56 seconds after each retransmission attempt.
5.
After the eighth retransmission, the exchange times out.
Command Changes
The following table summarises the modified commands:
Retrying ISAKMP Phase 1 and 2 Negotiations
This Software Version allows ISAKMP to retry phase 1 and phase 2
negotiations with an ISAKMP peer. Previously the router or switch would only
attempt an ISAKMP negotiation once.
negotiations with an ISAKMP peer. Previously the router or switch would only
attempt an ISAKMP negotiation once.
You can now set an ISAKMP policy to retry failed ISAKMP exchanges until
either the connection is established, or the retry limit is reached. To specify the
retry limit for a policy, use the new retryikeattempts parameter in the
commands:
either the connection is established, or the retry limit is reached. To specify the
retry limit for a policy, use the new retryikeattempts parameter in the
commands:
create isakmp policy=name peer={ipv4add|ipv6add|any}
[retryikeattempts={0..16|continuous}] [other parameters]
set isakmp policy=name peer={ipv4add|ipv6add|any}
[retryikeattempts={0..16|continuous}] [other parameters]
The retryikeattempts parameter is only valid when a specific peer IP address is
configured in both the ISAKMP and IPsec policies. This feature is designed for
permanent VPN connections. By default, retryikeattempts is set at 0, and
negotiations are not retried.
configured in both the ISAKMP and IPsec policies. This feature is designed for
permanent VPN connections. By default, retryikeattempts is set at 0, and
negotiations are not retried.
ISAKMP retryikeattempts is intended to help re-establish ISAKMP exchanges
when network problems or key exchange errors occur. Specifically, ISAKMP
reattempts exchanges when:
when network problems or key exchange errors occur. Specifically, ISAKMP
reattempts exchanges when:
■
the router or switch rejects SA proposals sent by the peer
■
authentication fails during phase 1 or phase 2
■
the exchange times out during phase 1 or phase 2
■
the peer sends a Delete SA notification message for the most recent SA
Command
Change
New msgbackoff parameter.
New msgbackoff parameter.
New Message Back-off parameter in the output for a
specific exchange.
specific exchange.
New Message Back-off parameter in the output for a
specific policy.
specific policy.
New Message Back-off parameter in the output for a
specific Security Association (SA).
specific Security Association (SA).