536
Related commands
display ipsec ipv6-policy
display ipsec policy
ikev2 profile
ipsec anti-replay check
Use ipsec anti-replay check to enable IPsec anti-replay checking.
Use undo ipsec anti-replay check to disable IPsec anti-replay checking.
Syntax
ipsec anti-replay check
undo ipsec anti-replay check
Default
IPsec anti-replay checking is enabled.
Views
System view
Predefined user roles
network-admin
Usage guidelines
IPsec packet de-encapsulation involves complicated calculation. De-encapsulation of replayed
packets is not necessary but consumes large amounts of resources and degrades performance,
resulting in DoS. IPsec anti-replay checking, when enabled, is performed before the
de-encapsulation process, reducing resource waste.
In some situations, service data packets are received in a different order than their original order. The
IPsec anti-replay feature drops them as replayed packets, which impacts communications. If this
happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required.
Only IPsec SAs negotiated by IKE support anti-replay checking. Manually created IPsec SAs do not
support anti-replay checking. Enabling or disabling IPsec anti-replay checking does not affect
manually created IPsec SAs.
Examples
# Enable IPsec anti-replay checking.
<Sysname> system-view
[Sysname] ipsec anti-replay check
Related commands
ipsec anti-replay window
ipsec anti-replay window
Use ipsec anti-replay window to set the anti-replay window size.
Use undo ipsec anti-replay window to restore the default.
Syntax
ipsec anti-replay window width
undo ipsec anti-replay window
To Next Page
Loading...
