cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI
invalid notification to the data originator. This notification is sent by using the IKE SA. When no IKE SA
is available, the notification is not sent. The originating peer continues sending the data by using the
IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.
The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that
an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the
IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up.
Use caution when enabling the invalid SPI recovery feature because using this feature can result in a DoS
attack. Attackers can fabric a great number of invalid SPI notifications to the same peer.
Examples
# Enable invalid SPI recovery.
<Sysname> system-view
[Sysname] ike invalid-spi-recovery enable
ike keepalive interval
Use ike keepalive interval to enable sending IKE keepalives and set the sending interval.
Use undo ike keepalive interval to restore the default.
Syntax
ike keepalive interval seconds
undo ike keepalive interval
Default
No IKE keepalives are sent.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800.
Usage guidelines
To detect the status of the peer, configure IKE DPD instead of the IKE keepalive function unless IKE DPD
is not supported on the peer.
The keepalive timeout time configured at the local must be longer than the keepalive interval configured
at the peer. Since it seldom occurs that more than three consecutive packets are lost on a network, you
can set the keepalive timeout three times as long as the keepalive interval.
Examples
# Set the keepalive interval to 200 seconds
380
To Next Page
Loading...
Need help?
General
