fir3net
PPS-Firenetbanner-780.5x190-30-03-17

Netscreen - Rekeying a VPN / Clearing the SA`s

In order to rekey a Netscreen VPN you will need to either clear the phase 1 or phase 2 "keys" from the gateway. Phase 1 being the IKE cookies and phase 2 being the SA`s (Security Association).

To see an overview of your VPN`s run the command, `get vpn`
In order to find the current IKE Cookies or SA`s, run either of the following commands,

get ike cookies 
get sa active

To clear either of these run either or of the following commands,

clear ike-cookie [gateway ip] 
clear sa [id]

Below shows you an example of clear a VPN`s SA`s,

ns5gt-> get sa active
Total active sa: 1
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000007<       10.1.1.25  500 esp:3des/md5  ef1d167f  3317 unlim A/-    22 0
00000007>       10.1.1.25  500 esp:3des/md5  fbcb64ee  3317 unlim A/-    -1 0

ns5gt-> clear sa 00000007

ns5gt-> get sa active
Total active sa: 1
total configured sa: 1
HEX ID    Gateway         Port Algorithm     SPI      Life:sec kb Sta   PID vsys
00000007<       10.1.1.25  500 esp:3des/md5  ef1d1680  3592 unlim A/-    22 0
00000007>       10.1.1.25  500 esp:3des/md5  bd1cbef7  3592 unlim A/-    -1 0

The main thing to ensure is that you show only the active sa`s as the firewall will not let you clear inactive sa`s. You can tell that they are active as the "Sta" (State) is A/- which is active. Also note that the Hex ID was used when using the `clear sa` command.

Click here for Fir3nets Netscreen Site 2 Site VPN troubleshooting guide.

 

Tags: VPN, Netscreen

About the Author

RDonato

R Donato

Rick Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Rick on Twitter @f3lix001