{"id":303,"date":"2009-08-28T02:25:14","date_gmt":"2009-08-28T02:25:14","guid":{"rendered":"https:\/\/fir3netwp.gmsrrpobkbd.com\/2009\/08\/28\/netscreen-rekeying-a-vpn-clearing-the-sas\/"},"modified":"2023-01-15T22:33:03","modified_gmt":"2023-01-15T22:33:03","slug":"netscreen-rekeying-a-vpn-clearing-the-sas","status":"publish","type":"post","link":"https:\/\/www.fir3net.com\/Firewalls\/Juniper\/netscreen-rekeying-a-vpn-clearing-the-sas.html","title":{"rendered":"Netscreen – Rekeying a VPN \/ Clearing the SA`s"},"content":{"rendered":"
In order to rekey a Netscreen VPN you will need to either clear the phase 1 or phase 2 “keys” from the gateway. Phase 1 being the IKE cookies and phase 2 being the SA`s (Security Association).<\/p>\n
To see an overview of your VPN`s run the command, `get vpn`
\nIn order to find the current IKE Cookies or SA`s, run either of the following commands,<\/p>\n
get ike cookies \r\nget sa active<\/pre>\nTo clear either of these run either or of the following commands,<\/p>\n
clear ike-cookie [gateway ip] \r\nclear sa [id]<\/pre>\nBelow shows you an example of clear a VPN`s SA`s,<\/p>\n
ns5gt-> get sa active\r\nTotal active sa: 1\r\ntotal configured sa: 1\r\nHEX ID\u00a0\u00a0\u00a0 Gateway\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Port Algorithm\u00a0\u00a0\u00a0\u00a0 SPI\u00a0\u00a0\u00a0\u00a0\u00a0 Life:sec kb Sta\u00a0\u00a0 PID vsys\r\n00000007<\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10.1.1.25\u00a0 500 esp:3des\/md5\u00a0 ef1d167f<\/strong>\u00a0 3317 unlim A\/-<\/strong>\u00a0\u00a0\u00a0 22 0\r\n00000007>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10.1.1.25\u00a0 500 esp:3des\/md5\u00a0 fbcb64ee\u00a0 3317 unlim A\/-\u00a0\u00a0\u00a0 -1 0<\/pre>\nns5gt-> clear sa 00000007<\/strong><\/p>\n
ns5gt-> get sa active
\nTotal active sa: 1
\ntotal configured sa: 1
\nHEX ID\u00a0\u00a0\u00a0 Gateway\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Port Algorithm\u00a0\u00a0\u00a0\u00a0 SPI\u00a0\u00a0\u00a0\u00a0\u00a0 Life:sec kb Sta\u00a0\u00a0 PID vsys
\n00000007<\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10.1.1.25\u00a0 500 esp:3des\/md5\u00a0 ef1d1680<\/strong>\u00a0 3592 unlim A\/-<\/strong>\u00a0\u00a0\u00a0 22 0
\n00000007>\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10.1.1.25\u00a0 500 esp:3des\/md5\u00a0 bd1cbef7\u00a0 3592 unlim A\/-\u00a0\u00a0\u00a0 -1 0<\/p>\nThe main thing to ensure is that you show only the active sa`s as the firewall will not let you clear inactive sa`s. You can tell that they are active as the “Sta” (State) is A\/- which is active. Also note that the Hex ID was used when using the `clear sa` command.<\/p>\n
Click here for Fir3nets Netscreen Site 2 Site VPN troubleshooting guide.<\/a><\/p>\n
<\/p>\n","protected":false},"excerpt":{"rendered":"
In order to rekey a Netscreen VPN you will need to either clear the phase 1 or phase 2 “keys” from the gateway. Phase 1 being the IKE cookies and phase 2 being the SA`s (Security Association). To see an overview of your VPN`s run the command, `get vpn` In order to find the current … Read more<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[16],"tags":[],"yoast_head":"\n
Netscreen - Rekeying a VPN \/ Clearing the SA`s - Fir3net<\/title>\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n