HP 6125XLG R2306-HP 6125XLG Blade Switch Security Command Reference - Page 260

Usage guidelines Changing the anti-replay window size affects only the IPsec SAs negotiated later. In some cases, some service data packets might be received in a very different order than their original order, and the IPsec anti-replay function might drop them as replayed packets, affecting normal communications. If this happens, disable IPsec anti-replay checking or adjust the size of the anti-replay window as required. Examples # Set the size of the anti-replay window to 128. system-view [Sysname] ipsec anti-replay window 128 Related commands ipsec anti-replay check ipsec decrypt-check enable Use ipsec decrypt-check enable to enable ACL checking for de-encapsulated IPsec packets. Use undo ipsec decrypt-check to disable ACL checking for de-encapsulated IPsec packets. Syntax ipsec decrypt-check enable undo ipsec decrypt-check enable Default ACL checking for de-encapsulated IPsec packets is enabled. Views System view Predefined user roles network-admin Usage guidelines In tunnel mode, the IP packet encapsulated in an inbound IPsec packet might not be under the protection of the ACL specified in the IPsec policy. After being de-encapsulated, such packets bring threats to the network security. In this scenario, you can enable ACL checking for de-encapsulated IPsec packets. All packets failing the checking are discarded, improving the network security. Examples # Enable ACL checking for de-encapsulated IPsec packets. system-view [Sysname] ipsec decrypt-check enable ipsec logging packet enable Use ipsec logging packet enable to enable logging for IPsec packets. Use undo ipsec logging packet enable to disable logging for IPsec packets. 251