[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: missing ACK message

You've really got 2 options.
 
1 - Wait for the ACK, but don't let your state machine advance, and have a timer that cleans everything up if the ACK never comes.  You may even want to retransmit your SET(STATUS=FAIL)
 
2 - Delete the phase 1 SA right away, and send a DELETE notify.  If the ACK comes, you'll ignore it because you won't recognize the cookies.
 
Option #1 is a little more polite since the SET(STATUS=FAIL) may of had gotten lost in transit, and the peer doesn't know what's going on if he didn't receive the SET.  If you retransmit the SET (when you haven't received an ACK), then there's a better chance to make sure that the Remote Access Client knows why the connection is being torn down, and can notify the User.  It's also a little bit more complex to implement.
 
Option #2 will work just as good in most cases.  It will clean up rejected connections faster.  It will also cause some "INVALID-COOKIE" events, which most likely will end up in your logs.
 
Stephane.
----- Original Message -----
From: vamsi
Sent: Thursday, November 30, 2000 2:15 AM
Subject: missing ACK message

Hi,
The following is the  general  Xauth transaction

IPSec Host                                              Edge Device
   --------------                                    -----------------
                                       <-- REQUEST
   REPLY -->
                                                    <-- SET
   ACK -->

Xauth draft of section 5  says  :

  " The Extended Authentication transaction is terminated either when
   the edge device starts a SET/ACK exchange which includes an
   XAUTH_STATUS attribute or when the remote device sends a
   XAUTH_STATUS attribute in a REPLY message.  Please note that a
   remote device can not set XAUTH_STATUS to anything but FAIL."


1)   Xauth  transaction  is terminated  when    the edge device starts a SET/ACK  exchange  ,is that termination  once after starting  or the completion of SET/ACK exchange?

2)Should edge device  wait for 'ACK' message  from the IpsecHost?
3)What happens if  by any chance that edge device  will not recive the 'Ack' message from the remote device(Ipsec Host)? 

bye





**************************************************************
Wealth is lost            Nothing is lost
Health is lost            Something is lost
Character is lost      Everything is lost

****************************************************************