VPN Sticky SA

By default, the VPN Sticky Security Association (SA) feature is enabled. This feature makes sure that the 61000/41000 Security System has only one outgoing SA to remote peers. This is a requirement for some network device manufacturers to minimize security vulnerabilities.

Configuring VPN Sticky SA

1. To disable VPN Sticky SA, run this command in the Expert mode:

   # g_update_conf_file $FWDIR/modules/fwkern.conf fwha_vpn_sticky_tunnel_enabled=0

2. To re-enable VPN Sticky SA, run this command in the Expert mode:

   # g_update_conf_file $FWDIR/modules/fwkern.conf fwha_vpn_sticky_tunnel_enabled=1

3. Reboot all SGMs:
   # reboot –b all

You can enable or disable VPN Sticky SA immediately, without reboot, with this Expert mode command:

# g_fw ctl set int fwha_vpn_sticky_tunnel_enabled 0

Note: This change does not survive reboot.

Verification

To see the VPN Sticky SA status, run this command in the Expert mode:

# g_fw ctl get int fwha_vpn_sticky_tunnel_enabled

-*- 12 blades: 1_01 1_02 1_03 1_04 1_05 1_06 2_01 2_02 2_03 2_04 2_05 2_06 -*-

fwha_vpn_sticky_tunnel_enabled = 0

Notes:

• Only outbound sticky SA connections are synchronized.
• Connections are not synchronized to all SGMS.

  To synchronize connections to all SGMs, run:

  # asg_lte_config enable