Understanding Member Reregistration

If a group member does not receive a new SA key from the server before the current key expires, the member must reregister with the server and obtain updated keys with a GDOI groupkey-pull exchange. In this case, the interval at which the server sends rekey messages is calculated as follows: lifetime-seconds minus 3*(activation-time-delay). Using the default values for lifetime-seconds and activation-time-delay, the interval at which the server sends rekey messages is 3600 minus 3*15, or 3555 seconds.

Member reregistration can occur for the following reasons:

• The member detects a server reboot by the absence of heartbeats received from the server.
• The rekey message from the group server is lost or delayed, and the TEK lifetime has expired.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Understanding the GDOI Protocol
• Understanding Group Servers and Members
• Understanding Group Keys
• Understanding Rekey Messages
• Understanding Key Activation
• Group VPN Configuration Overview