Configure a Key Accept Tolerance

Accept tolerance is the number of seconds for which expired or soon-to-be activated keys can be used for validating received packets.

You can use this command to extend the validity of an expired key to ensure a smooth key rollover for the processing of a received packet. You can use this command to decrease the activation time of a new key so that a received packet can be authenticated with the new key. A longer accept tolerance period can reduce security if an old key was exposed.
  1. Enter global configuration mode.
    device# configure terminal
  2. Enter keychain configuration mode.
    device(config)# keychain keychain1
    This example enters configuration mode for key chain 1.
  3. Configure the accept tolerance.
    device(config-keychain1)# accept-tolerance 500
    This example configures an accept tolerance of 500 seconds in key chain 1. The default is 600 seconds. Valid values range from 0 to 600.

The following example summarizes the commands in this procedure.

device# configure terminal
device(config)# keychain keychain1
device(config-keychain1)# accept-tolerance 500