How are SAs aged on an AR

15

AR routers can age SAs in two ways:
- The time-based lifetime indicates the period of time an SA can exist since it is established.
- The traffic-based lifetime indicates the maximum traffic volume that an SA can process.

When the specified time or traffic volume is reached, the SA becomes invalid. When the SA is about to expire, IKE will negotiate a new SA. In this manner, a new SA is established when the old SA becomes invalid. Before the new SA is established, the two ends use the old SA to protect data flows. When the new SA is established, the two ends immediately use the new SA.

Other related questions:
Which aging modes does an SA support
A security association (SA) supports the following types of lifetimes: -The time-based lifetime: the period of time an SA can exist after it is established. -The traffic-based lifetime: the maximum traffic volume that an SA can process. When the specified time or traffic volume is reached, the SA becomes invalid. When the SA is about to expire, IKE will negotiate a new SA for IPSec. In this manner, a new SA is established when the old SA becomes invalid. Before the new SA is established, the two ends use the old SA to protect data flows. When the new SA is established, the two ends immediately use the new SA.

An IPSec tunnel fails to be set up for a long time, and then can be established after the IPSec tunnel is reset
The same traffic of the branch is transmitted to the headquarters. The headquarters has an IPSec tunnel to protect traffic between the headquarters and branch. Because the same data flow is protected, the headquarters and branch cannot establish a new IPSec tunnel. After the IPSec tunnel of the headquarters is reset, the old IPSec tunnel is deleted and the new IPSec tunnel can be established.

In this case, you can run the ipsec remote traffic-identical accept command to allow users with the same traffic rule as online users to access the IPSec tunnel. The established IPSec SAs are aged rapidly and an IPSec tunnel is reestablished.


How to manually force aging NAT flow table on AR router ?
Execute "reset NAT session all" command to age NAT flow table.

How are NAT session tables of the AR router forcibly aged
Run the reset nat session all command to age the NAT session table.

Configure session table aging time of the firewall on an AR router
Background information A router creates session tables for data flows that pass the firewall over TCP, UDP, or ICMP. The session tables record connection status of the protocols. If packets do not hit a record within the aging time (the aging time expires), corresponding session entry is deleted. To modify the aging time of a protocol, configure the session table aging time of the firewall. Operation procedure Run the system-view command to access the system view. Run the firewall-nat session { dns | ftp | ftp-data | http | icmp | tcp | tcp-proxy | udp | sip | sip-media | rtsp | rtsp-media | pptp | pptp-data } aging-time time-value command to configure the session table aging time of the firewall. By default, the aging time of different protocols is as follows: DNS (120s), FTP (120s), FTP-data (120s), HTTP (120s), ICMP (20s), TCP (600s), TCP-proxy (10s), UDP (120s), SIP (1800s), SIP-media (120s), RTSP (60s), RTSP-media (120s), PPTP (600s), and PPTP-data (600s). You are advised to use the default aging time. Check the configuration result. Run the display firewall-nat session aging-time command to check information about the session table aging time. Note: The AR510 series routers do not support the keywords SIP and SIP-media.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top