[x]

IPsec commands > ipsec anti-replay check

 

 Next

ipsec anti-replay check

Use ipsec anti-replay check to enable IPsec anti-replay checking.

Use undo ipsec anti-replay check to disable IPsec anti-replay checking.

Syntax

ipsec anti-replay check

undo ipsec anti-replay check

Default

IPsec anti-replay checking is enabled.

Views

System view

Predefined user roles

network-admin

mdc-admin

Usage guidelines

IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed packets is not necessary but consumes large amounts of resources and degrades performance, resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the de-encapsulation process, reducing resource waste.

In some situations, service data packets are received in a different order than their original order. The IPsec anti-replay feature drops them as replayed packets, which impacts communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.

Only IPsec SAs negotiated by IKE support anti-replay checking. Manually created IPsec SAs do not support anti-replay checking. Enabling or disabling IPsec anti-replay checking does not affect manually created IPsec SAs.

Examples

# Enable IPsec anti-replay checking.

<Sysname> system-view
[Sysname] ipsec anti-replay check

Related commands

ipsec anti-replay window

prev

 

up

 next

ipsec { ipv6-policy-template | policy-template } 

home

 ipsec anti-replay window

© Copyright 2018 Hewlett Packard Enterprise Development LP