ipsec invalid-spi-recovery enable
Function
The ipsec invalid-spi-recovery enable command enables the invalid SPI recovery function.
The undo ipsec invalid-spi-recovery enable command disables the invalid SPI recovery function.
By default, the invalid SPI recovery function is disabled.
Usage Guidelines
Usage Scenario
When the IPSec SA is lost on Gateway_1 at one end of an IPSec tunnel, the corresponding IKE SA still exists on Gateway_1. However, Gateway_2 at the other end of the IPSec tunnel still maintains the IPSec SA. If Gateway_1 receives IPSec packets encapsulated by Gateway_2 using the IPSec SA, Gateway_1 discards the packets because it cannot find the corresponding IPSec SA. At the same time, Gateway_1 sends a DELETE SA INFORMATIONAL message to Gateway_2 by default. After receiving the message, Gateway_2 immediately deletes the IPSec SA matching the invalid SPI. When Gateway_2 continues sending IPSec packets to Gateway_1, the two ends re-negotiate an IPSec SA to restore the IPSec service.
However, when neither IKE SA nor IPSec SA exists on Gateway_1, Gateway_1 does not send a DELETE SA INFORMATIONAL message to Gateway_2 until dead peer detection (DPD) shows that the IPSec SA is invalid or the SA lifetime has expired. This causes lengthy IPSec service interruption. In this case, you can enable the invalid SPI recovery function to solve the problem. When Gateway_1 sends IPSec packets to Gateway_2, the two ends re-negotiate an IPSec SA to restore the IPSec service.
Precautions
The invalid SPI recovery function may lead to denial of service (DoS) attacks.
When the device uses an IPSec policy configured using an IPSec policy template or has the respond-only enable command configured, the ipsec invalid-spi-recovery enable command does not take effect.
