No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search


To have a better experience, please upgrade your IE browser.


AR500, AR510, and AR530 V200R007 Commands Reference

This document describes all the configuration commands of the device, including the command function, syntax, parameters, views, default level, usage guidelines, examples, and related commands.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
ipsec invalid-spi-recovery enable

ipsec invalid-spi-recovery enable


The ipsec invalid-spi-recovery enable command enables the invalid SPI recovery function.

The undo ipsec invalid-spi-recovery enable command disables the invalid SPI recovery function.

By default, the invalid SPI recovery function is disabled.


ipsec invalid-spi-recovery enable

undo ipsec invalid-spi-recovery enable




System view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

When the IPSec SA is lost on Gateway_1 on one end of an IPSec tunnel, the corresponding IKE SA may still exist on Gateway_1. However, Gateway_2 on the other end of the IPSec tunnel still maintains the IPSec SA. If Gateway_1 receives IPSec packets encapsulated by Gateway_2 using the IPSec SA, Gateway_1 discards the packets because it cannot find the IPSec SA, causing IPSec service interruption for a long period of time. Gateway_1 stops discarding packets when dead peer detection (DPD) shows that the IPSec SA is invalid or the SA lifetime has expired.

In this case, you can run this command to enable the invalid SPI recovery function. If Gateway_1 receives IPSec packets with an invalid SPI, Gateway_1 sends an INVALID SPI NOTIFY message to Gateway_2. After receiving the message, Gateway_2 immediately deletes the IPSec SA matching the invalid SPI. When Gateway_2 sends IPSec packets to Gateway_1, the two ends re-negotiate an IPSec SA to restore the IPSec service.


The invalid SPI recovery function may lead to denial of service (DoS) attacks.


# Enable the invalid SPI recovery function.

<Huawei> system-view
[Huawei] ipsec invalid-spi-recovery enable
Updated: 2019-05-29

Document ID: EDOC1000097293

Views: 88818

Downloads: 121

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Previous Next