Accept tolerance is the number of
seconds for which expired or soon-to-be activated keys can be used for validating received
packets.
About this task
You can use this command to extend the
validity of an expired key to ensure a smooth key rollover for the processing of a
received packet. You can use this command to decrease the activation time of a new key
so that a received packet can be authenticated with the new key. A longer accept
tolerance period can reduce security if an old key was exposed.
Procedure
-
Enter global configuration
mode.
device# configure terminal
-
Enter keychain configuration
mode.
device(config)# keychain keychain1
This example enters configuration mode for key chain 1.
-
Configure the accept tolerance.
device(config-keychain1)# accept-tolerance 500
This example configures an
accept tolerance of 500 seconds in key chain 1. The default is 600 seconds.
Valid values range from 0 to 600.
Example
The following example summarizes the commands in this procedure.
device# configure terminal
device(config)# keychain keychain1
device(config-keychain1)# accept-tolerance 500
