Use the IPsec window to delete a specific IPsec security association (SA) or all SAs.
SAs are created by successful IPsec negotiations between the SBC Core and protected peers. Each SA is the bundle of algorithms and parameters used to encrypt and authenticate a particular flow in one direction. Thus for normal bidirectional traffic, the flows are secured by a pair of security associations.
SAs are removable through notification by the peer that an SA is deleted, or as a result of Dead Peer Detection determining that a peer is unresponsive.
When necessary you can also remove SAs before their lifetime expires using the following methods:
- Globally deleting every IKE SA
- Deleting a specific IKE SA by its IKE handle identifier
- Deleting the IPsec SA pair with a given incoming Security Parameter Index value (LOCAL SPI)
If an SA is deleted by one of the above scenarios within 60 seconds of the time that it was initially established, then as a Denial-of-Service protection the SBC Core does not respond to new phase 1 IKE negotiations initiated by that peer for 60 seconds. Otherwise, phase 1 IKE re-negotiations may proceed immediately on a deleted SA.
To Delete Security Association Entries
- On the SBC main screen, navigate to Monitoring > Security > IPsec or
All > Address Context > IPsec Select an address context from the Address Context list. The Commands list appears as shown below.
Use the following table to select a command option. Based on your selection, a pop-up window opens.
Confirm the deletion when prompted.