ipsec anti-replay check

Use ipsec anti-replay check to enable IPsec anti-replay checking.

Use undo ipsec anti-replay check to disable IPsec anti-replay checking.


ipsec anti-replay check

undo ipsec anti-replay check


IPsec anti-replay checking is enabled.


System view

Predefined user roles



Usage guidelines

IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste.

In some situations, service data packets are received in a different order than their original order. The IPsec anti-replay feature drops them as replayed packets, which impacts communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.

Only IPsec SAs negotiated by IKE support anti-replay checking. Manually created IPsec SAs do not support anti-replay checking. Enabling or disabling IPsec anti-replay checking does not affect manually created IPsec SAs.


# Enable IPsec anti-replay checking.

<Sysname> system-view
[Sysname] ipsec anti-replay check

Related commands

ipsec anti-replay window