|
The deletion of all shortcuts to a given spoke will be effective if the following configuration is applied:
- Set location-id in system settings.
config system settings
set location-id 1.1.1.1
end
- Set both idle-timeout and shared-idle-timeout in the VPN IPsec phase1-interface setting.
conf vpn ipsec phase1-interface
edit advpn101
set idle-timeout enable
set idle-timeoutinterval 5
set shared-idle-timeout enable
next
Below is an example of a 'diagnose debug appli ike -1' when 4 shortcuts from 2 different local IPsec phase1 (advpn101 and advpn102) to a given remote spoke are no longer active and get suppressed.
ike V==root:0:advpn101_0: connection idle time-out for all shared connections
ike V=root:0:advpn101_1: going to be deleted
ike V=root:0:advpn101_1: flushing
ike V=root:0:advpn101_1: deleting IPsec SA with SPI e2a0c6f0
ike V=root:0:advpn101_1:advpn101: deleted IPsec SA with SPI e2a0c6f0, SA count: 1
ike V=root:0:advpn101_1: deleting IPsec SA with SPI e2a0c6ef
ike V=root:0:advpn101_1:advpn101: deleted IPsec SA with SPI e2a0c6ef, SA count: 0
ike V=root:0:advpn101_1: sending SNMP tunnel DOWN trap for advpn101
ike V=root:0:advpn101_1:advpn101: delete
ike V=root:0:advpn101_1: deleting IPsec SA with SPI e2a0c6eb
ike V=root:0:advpn101_1:advpn101: deleted IPsec SA with SPI e2a0c6eb, SA count: 0
ike V=root:0:advpn101_1: sending SNMP tunnel DOWN trap for advpn101
...
ike 0:advpn101: bundle advpn101_1_1.1.1.1 1 del member advpn101_1
ike 0:advpn101: release bundle advpn101_1_1.1.1.1
...
ike 0:advpn102: bundle advpn102_0_1.1.1.1 1 del member advpn102_0
ike 0:advpn102: release bundle advpn102_0_1.1.1.1
...
ike 0:advpn102: bundle advpn102_1_1.1.1.1 1 del member advpn102_1
ike 0:advpn102: release bundle advpn102_1_1.1.1.1
...
ike 0:advpn101: bundle advpn101_0_1.1.1.1 1 del member advpn101_0
ike 0:advpn101: release bundle advpn101_0_1.1.1.1
|
