R2511-HP MSR Router Series Security Command Reference(V5)
265
When you clear a local IPsec SA, its ISAKMP SA can transmit the Delete message to notify the remote
end to delete the paired IPsec SA. If the ISAKMP SA has been cleared, the local end cannot notify the
remote end to clear the paired IPsec SA, and you must manually clear the remote IPsec SA.
Examples
# Clear the IKE SA that uses connection ID 2.
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC
2 202.38.0.2 RD|ST 2 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO--TIMEOUT RK--REKEY
<Sysname> reset ike sa 2
<Sysname> display ike sa
total phase-1 SAs: 1
connection-id peer flag phase doi
----------------------------------------------------------
1 202.38.0.2 RD|ST 1 IPSEC
flag meaning
RD--READY ST--STAYALIVE RL--REPLACED FD—FADING TO—TIMEOUT RK--REKEY
Related commands
display ike sa
sa duration
Use sa duration to set the ISAKMP SA lifetime for an IKE proposal.
Use undo sa duration to restore the default.
Syntax
sa duration seconds
undo sa duration
Default
The ISAKMP SA lifetime is 86400 seconds.
Views
IKE proposal view
Default command level
2: System level
Parameters
seconds: Specifies the ISAKMP SA lifetime in seconds, in the range of 60 to 604800.
Usage guidelines
Before an SA expires, IKE negotiates a new SA. The new SA takes effect immediately after being set up,
and the old one will be cleared automatically when it expires.