advertise {adv-delay seconds |adv-lifetime time | adv-interval { seconds | msec num } | num-adv-sent number | prefix-length-extn | reg-lifetime reg_time }
default advertise adv-delay
seconds is the advertisement delay in milliseconds and must be an integer from 10 through 5000.
Important: This command is available for WiMAX CMIP calls only.adv-lifetime time
time is measured in seconds and can be configured to an integer from 1 through 65535.
seconds is the time in seconds and can be an integer from 1 through1800.
msec num: Configures agent advertisement Interval in milliseconds. num can be an integer from 100 through 1800000.
num-adv-sent number
number can be an integer from 1 through 65535.
reg-lifetime reg_time
reg_time is measured in seconds and can be configured to an integer from 1 through 65534.
The following command configures the FA advertisement interval at 10 seconds, the advertise lifetime to 20000 seconds, and the maximum number of unanswered advertisements that will be set to 3.
authentication mn-aaa { always | ignore-after-handoff | init-reg | init-reg-except-handoff | renew-and-dereg-noauth | renew-reg-noauth } [ optimize-retries ]
Specifies the IP address (address) of the interface configured as the Pi interface. address is specified in IPv4 dotted-decimal notation.
max-subscribers max#
count can be configured to an integer from 0 through 500000.
Important: The maximum number of subscribers supported is dependant on the license key installed and the number of active packet processing cards installed in the system. Refer to the license key command for additional information.When configuring the max-subscribers option, be sure to consider the following:
The following command would bind the logical IP interface with the address of 192.168.3.1 to the FA service and specifies that a maximum of 600 simultaneous subscriber sessions can be facilitated by the interface/service at any given time.
challenge-window number
The number of recently sent challenge values that are considered valid. number must be an integer from 1 through 5.
default subscriber profile_name
Specifies the name of the configured subscriber profile. profile_name is an alphanumeric string of 1 through 63 characters that is case sensitive.
To configure the FA service to apply the rules configured for a subscriber named user1 to every other subscriber session it processes, enter the following command:
fa-ha-spi remote-address { ha_ip_address | ip_addr_mask_combo } spi-number number { encrypted secret enc_secret | secret } [ description string | hash-algorithm { hmac-md5 | md5 | rfc2002-md5 } | monitor-ha | replay-protection { timestamp | nonce } | timestamp-tolerance tolerance ]
ha_ip_address: Specifies the IP address of the HA in IPv4 dotted-decimal notation.
ip_addr_mask_combo: Specifies the IP address of the HA including network mask bits. ip_addr_mask_combo must be specified IPv4 dotted-decimal notation with CIDR subnet mask bits (x.x.x.x/xx).
spi-number number
|
•
|
encrypted secret enc_secret : Specifies the encrypted shared key (enc_secret) between the FA service and the HA. enc_secret must be an alphanumeric string of 1 through 254 characters that is case sensitive.
|
Important: The encrypted keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret key. Only the encrypted secret key is saved as part of the configuration file.|
•
|
secret secret: Specifies the shared key (secret) between the FA service and the HA. secret must be an alphanumeric string of 1 through 127 characters that is case sensitive.
|
description string
This is a description for the SPI. string must be an alphanumeric string of 1 through 31 characters.
|
•
|
hmac-md5: Configures the hash-algorithm to implement HMAC-MD5 per RFC 2002bis.
|
|
•
|
md5: Configures the hash-algorithm to implement MD5 per RFC 1321.
|
|
•
|
rfc2002-md5: Configures the hash-algorithm to implement keyed-MD5 per RFC 2002.
|
To set the behavior of the HA monitor feature, refer to the ha-monitor command in this chapter. To disable this command (if enabled) for this HA address, re-enter the entire fa-ha-spi command without the monitor-ha keyword.
|
•
|
nonce: Configures replay protection to be implemented using NONCE per RFC 2002. Nonce is an arbitrary number used only once to sign a cryptographic communication.
|
|
•
|
timestamp: Configures replay protection to be implemented using timestamps per RFC 2002.
|
Important: This keyword should only be used in conjunction with Proxy Mobile IP support.timestamp-tolerance tolerance
tolerance is measured in seconds and can be configured to an integer value from 0 through 65535.
Important: This keyword should only be used in conjunction with Proxy Mobile IP support.
Important: The SPI configuration on the HA must match the SPI configuration for the FA service on the system in order for the two devices to communicate properly.Use the no version of this command to delete a previously configured SPI.
The following command configures the FA service to use an SPI of 512 when communicating with an HA with the IP address 192.168.0.2. The key that would be shared between the HA and the FA service is q397F65. When communicating with this HA, the FA service will also be configured to use the rfc2002-md5 hash-algorithm.
The following command deletes the configured SPI of 400 for an HA with an IP address of 172.100.3.200:
gre { checksum | checksum-verify | reorder-timeout timeout | sequence-mode { none | reorder } | sequence-numbers }
reorder-timeout timeout
Configures maximum number of milliseconds to wait before processing reordered out-of-sequence GRE packets. timeout must be an integer from 0 through 5000.
none: Disables reordering of incoming out-of-sequence GRE packets.
reorder: Enables reordering of incoming out-of-sequence GRE packets.
To set maximum number of milliseconds to wait before processing reordered out-of-sequence GRE packets to 500 milliseconds, enter the following command:
interval sec
sec must be an integer from 1 through 36000.
sec must be an integer from 30 through 600.
num-retry num
num must be an integer from 0 through 10.
Use this command to set parameters for the HA monitor feature. This feature allows the AGW/FA to monitor HAs with which it has MIP sessions. The monitoring feature is triggered when the AGW/FA does not receive any MIP traffic from a HA for a configured amount of time (max-inactivity-time). The AGW/FA starts sending special MIP RRQ monitor messages and waits for RRP monitor message responses from the HA. The RRQ monitor messages are addressed to the HA service address. The source address of the monitor-request messages is the FA service's IP address.
|
•
|
If no monitor response is received during the interval time (interval), the AGW retransmits the monitor message a configured number of times (num-retry).
|
|
•
|
If no response is received after retransmitting for the number configured in num-retry, the HA is considered down. The AGW/FA sends a trap (HAUnreachable) to the management station. Monitoring of this HA is stopped until a MIP control message is received from the particular HA and when the AGW/FA sends a trap (HAreachable) to the management station and starts monitoring the HA again.
|
Important: This command only sets the behavior of the HA monitor feature. To enable the HA monitor feature for each HA address, refer to the fa-ha-spi command in this chapter. Up to 256 HAs can be monitored per system.The following commands set the HA monitor message interval to 45 seconds, the HA inactivity time to 60 seconds, and the number of HA monitor retries to 6:
ip local-port port#
port# can be an integer from 1 through 65535.
The following command specifies a UDP port of 3950 for FA-to-HA communication on the Pi interface:
isakmp {peer-ha ha_address {crypto map map_name [ [ encrypted ] secret secret ]} | default { crypto map map_name [ [ encrypted ] secretsecret]}}
|
•
|
ha_address: The IP address of the HA with which the FA service will establish an IPSec SA. The address must be expressed in IPv4 dotted-decimal format.
|
|
•
|
crypto map map_name: The name of a crypto map configured in the same context that defines the IPSec tunnel properties. map_name is the name of the crypto map expressed as an alphanumeric string of 1 through 127 characters.
|
|
•
|
encrypted: This keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret key. Only the encrypted secret key is saved as part of the configuration file.
|
|
•
|
secret secret: The pre-shared secret that will be used during the IKE negotiation. preshared_secret is the secret expressed as an alphanumeric string of 1 through 127 characters.
|
|
•
|
crypto map map_name: The name of a crypto map configured in the same context that defines the IPSec tunnel properties. map_name is the name of the crypto map expressed as an alphanumeric string of 1 through 127 characters.
|
|
•
|
encrypted: This keyword is intended only for use by the system while saving configuration scripts. The system displays the encrypted keyword in the configuration file as a flag that the variable following the secret keyword is the encrypted version of the plain text secret key. Only the encrypted secret key is saved as part of the configuration file.
|
|
•
|
secret secret: The pre-shared secret that will be used during the IKE negotiation. preshared_secret is the secret expressed as an alphanumeric string of 1 through 127 characters.
|
Important: For maximum security, the above command should be executed for every possible HA with which the FA service communicates.
Important: For maximum security, the default crypto map should be configured in addition to peer-ha crypto maps instead of being used to provide IPSec SAs to all HAs.The following command creates a reference for an HA with the IP address 10.2.3.4 to a crypto map named map1:
max-challenge-len length
Enable this feature if there is no need to authenticate the subscriber at HA using MN-AAA extension.
multiple-reg number
number can be configured to an integer from 1 through 3.
Important: The system will only support multiple Mobile IP sessions per subscriber if the subscriber’s mobile node has a static IP address. The system will only allow a single Mobile IP session for mobile nodes that receive a dynamically assigned IP address. In addition, because only a single Mobile IP or proxy-Mobile IP session is supported for IP PDP contexts, this parameter must remain at its default configuration.
Important: You should not use this command without first consulting Cisco Systems Technical Support. This command applies to very specific scenarios where packet reassembly is not supported at the far end of the tunnel. There are cases where the destination network may either discard the data, or be unable to reassemble the packets.
Important: This functionality works best when the FA service is communicating with an HA service running in a system. However, an FA service running in the system communicating with an HA from a different manufacturer will operate correctly even if this parameter is enabled.Use the no version of this command to disable tunnel optimization if it was previously enabled.
proxy-mip { allow | ha-failover [ max-attempts max_attempts | num-attempts-before-switching num_attempts | timeout seconds ]| max-retransmissions number | renew-percent-time renew-time | retransmission-timeout time }
ha-failover [max-attempts max_attempts | num-attempts-before-switching num_attempts | timeout seconds ]
|
•
|
max-attempts max_attempts - Configures the maximum number of retransmissions of Proxy MIP control messages. max_attempts must be an integer from 1 through 10. Default is 4
|
|
•
|
num-attempts-before-switching num_attempts - Configures the total number of RRQ attempts (including retransmissions) before failing over to the alternate HA. num_attempts must be an integer from 1 through 5. Default is 2.
|
|
•
|
timeout seconds - Configures the retransmission timeout (in seconds) of Proxy MIP control messages when failover happens. seconds must be an integer from 1 through 50. Default is 2
|
max-retransmissions number
number is the maximum number of retries and can be configured to an integer from 1 through 4294967295.
renew-percent-time renew-time
renew-time is entered as a percentage of the advertisement registration lifetime configured for the FA service. (Refer to the advertise command in this chapter). renew-time can be configured to an integer from 1 through 100.
The following equation can be used to calculate renew-time:
renew-time = (duration / lifetime) * 100
time is measured in seconds and can be configured to an integer from 1 through 100.
The proxy-mip command and its keywords configure the FA services support for Proxy Mobile IP.
In addition to the parameters configured via this command, the HA-FA SPI(s) must also be modified to support Proxy Mobile IP. Refer to the fa-ha-spi command for more information.
The following command configures the FA service to wait up to 5 seconds for an HA to respond prior to re-sending an a Mobile IP Registration Request message:
reg-timeout time
Use the no option of this command to disable reverse tunneling. If reverse tunneling is disabled, and the mobile node does not request it, then triangular routing is used.
Important: If reverse tunneling is disabled on the system and an MN requests it, the call will be rejected with a reply code of 74H (reverse-tunneling unavailable).revocation { enable | max-retransmission number | negotiate-i-bit | retransmission-timeout secs | trigger internal-failure }
max-retransmission number
Specifies the maximum number of retransmissions of a Revocation message before the revocation fails. number must be an integer from 0 through 10.
Specifies the number of seconds to wait for a Revocation Acknowledgement from the HA before retransmitting the Revocation message. secs must be an integer from 1 through 10.
The high threshold number of registration reply errors that must be met or exceeded within the polling interval to generate an alert or alarm. high_thresh can be an integer from 0 through 100000.
Important: You must enter a value between 1 and 100000 to trigger an alert/alarm.clear low_thresh
The low threshold number of registration reply errors that must be met or exceeded within the polling interval to clear an alert or alarm. low_thresh can be an integer from 0 through 100000.
Important: This value is ignored for the Alert model. In addition, if this value is not configured for the Alarm model, the system assumes it is identical to the high threshold.
Important: You must enter a value between 1 and 100000 to trigger an alert/alarm.|
•
|
Enter condition: Actual number of registration reply errors > High Threshold
|
|
•
|
Clear condition: Actual number of registration reply errors £ Low Threshold
|
The following command configures a registration reply error threshold of 1000 and a low threshold of 500 for a system using the Alarm thresholding model:
