No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback :
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ipsec anti-replay

ipsec anti-replay

Function

The ipsec anti-replay command enables or disables the anti-replay function.

By default, the anti-replay function is enabled.

Format

ipsec anti-replay { enable | disable }

Parameters

Parameter

Description

Value

enable

Enables the anti-replay function.

-

disable

Disables the anti-replay function.

-

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

Replayed packets are packets that have been processed. IPSec uses the sliding window (anti-replay window) mechanism to check replayed packets. Each AH or ESP packet has a sequence number. If the sequence number of a packet is the same as that of a decapsulated packet, or if the sequence number is outside the sliding window, the packet is considered to be a replayed packet.

Decapsulating replayed packets consumes many resources and makes system performance deteriorate, resulting in a DoS attack. After the anti-replay function is enabled, the system discards replayed packets and does not encapsulate them, saving system resources.

Precautions

Only SAs established in IKE negotiation mode support the anti-replay function. Manually configured SAs do not support the anti-replay function.

In some situations, for example, network congestion occurs or QoS is performed for packets, the sequence numbers of some service data packets may be different from those in common data packets. The device that has IPSec anti-replay enabled considers the packets as replayed packets and discards them. You can disable global IPSec anti-replay to prevent packets from being discarded incorrectly or adjust the IPSec anti-replay window size to meet service requirements.

Example

# Enable the anti-replay function.

<Huawei> system-view
[Huawei] ipsec anti-replay enable
Translation
Download
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 52864

Downloads: 102

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next