accept-tolerance

Defines the number of seconds for which expired or soon-to-be activated keys can be used for validating received packets.

Syntax

accept-tolerance number-of-seconds
no accept-tolerance

Command Default

By default, the accept tolerance time is 600 seconds.

Parameters

number-of-seconds
Specifies the number of seconds by which activation time is decreased or expiration time is decreased. The default is 600. Valid values range from 0 to 600.

Modes

Keychain configuration mode

Usage Guidelines

Use the no form of the command to revert to the default of 600 seconds.

You can use the command to extend the validity of an expired key to ensure a smooth key rollover for the processing of a received packet.

You can use the command to decrease the activation time of a new key so that a received packet can be authenticated with the new key.

A longer accept tolerance period can reduce security if an old key was exposed.

Examples

The following example configures an accept tolerance of 500 seconds in key chain 1.

device# configure terminal
device(config)# keychain keychain1
device(config-keychain1)# accept-tolerance 500
9036689-01 Rev AA