ISMs Overview

You can install multiple ISMs to provide redundancy. If you install multiple ISMs at the same time, the router automatically distributes ISM interfaces over the modules in proportion to the available ISM interfaces.

Even distribution of ISM interfaces is not critical to router performance. However, the number of ISMs that you install must be able to support the extra tunnels if one of the modules becomes unavailable.

When you configure a static IPSec interface, the router automatically assigns that interface to a particular ISM. If that ISM becomes unavailable, the interface becomes not present (operational state down).

The router then manages the interface as follows:

• If the interface’s local IP address (tunnel source) is less than the remote IP address (tunnel destination), the router attempts to reassign the interface to an available ISM. If the reassignment is successful, the router immediately initiates an IPSec negotiation, also known as rekeying the interface.
• If the interface’s local IP address is greater than the remote IP address, the router attempts to reassign the interface to an available ISM. If the reassignment is successful, the router waits 3 minutes before initiating an IPSec negotiation.

In either case, the interface becomes available (operational state up) when the rekeying operation is completed successfully. If the rekeying operation fails for reasons such as an unreachable remote end or a policy mismatch, the router waits a certain number of minutes and then tries again.

The wait time increases after each unsuccessful rekeying attempt, and follows a progressive pattern. This pattern gradually increases in intervals, starting at 1 minute and reaching a maximum interval of 60 minutes. The 60-minute interval repeats indefinitely. When the rekeying operation is completed successfully, the pattern starts again.

If no ISM is available to which the router can reassign the interface, the interface remains in the not present state until an ISM becomes available. As a result, the distribution of dedicated ISM interfaces over the modules might become uneven.