Popular
Latest Articles
- How to Secure your Cisco Router
- Creating CLI Views on a Cisco Router
- Configuring TACACS+ on a Cisco Router
- How to enable SDM on your router
- Build a Samba Server on Redhat / CentOS
- How to set the Time / Date and Timezone in CentOS
- How to install SSH on Solaris 10 x86
- ESX4 - How do I turn on/off a Virtual Machine from the command line ?
Netscreen - Rekeying a VPN / Clearing the SA`s
Friday, 28 August 2009 02:25
Firewalls - Juniper - Netscreen
In order to rekey a Netscreen VPN you will need to either clear the phase 1 or phase 2 "keys" from the gateway. Phase 1 being the IKE cookies and phase 2 being the SA`s (Security Association).
To see an overview of your VPN`s run the command, `get vpn`In order to find the current IKE Cookies or SA`s, run either of the following commands,
get ike cookies
get sa active
To clear either of these run either or of the following commands,
clear ike-cookie [gateway ip]
clear sa [id]
Below shows you an example of clear a VPN`s SA`s,
ns5gt-> get sa active
Total active sa: 1
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000007< 10.1.1.25 500 esp:3des/md5 ef1d167f 3317 unlim A/- 22 0
00000007> 10.1.1.25 500 esp:3des/md5 fbcb64ee 3317 unlim A/- -1 0ns5gt-> clear sa 00000007
ns5gt-> get sa active
Total active sa: 1
total configured sa: 1
HEX ID Gateway Port Algorithm SPI Life:sec kb Sta PID vsys
00000007< 10.1.1.25 500 esp:3des/md5 ef1d1680 3592 unlim A/- 22 0
00000007> 10.1.1.25 500 esp:3des/md5 bd1cbef7 3592 unlim A/- -1 0
The main thing to ensure is that you show only the active sa`s as the firewall will not let you clear inactive sa`s. You can tell that they are active as the "Sta" (State) is A/- which is active. Also note that the Hex ID was used when using the `clear sa` command.
Click here for Fir3nets Netscreen Site 2 Site VPN troubleshooting guide.