HP 6125XLG R2306-HP 6125XLG Blade Switch Security Command Reference - Page 297
ike invalid-spi-recovery enable
View all HP 6125XLG manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 297 highlights
user-fqdn user-fqdn-name : Uses the user FQDN name as the identity. The user-fqdn-name argument is a case-sensitive string of 1 to 255 characters, for example, [email protected]. If you do not specify this argument, the device name configured by using the sysname command is used as the user FQDN. Usage guidelines The global identity can be used by the device for all IKE SA negotiations, and the local identity (set by the local-identity command) can be used only by the device that uses the IKE profile. In pre-shared key authentication, you cannot set the DN as the identity. In signature authentication: • You can set any type of the identity information. • The ike signature-identity from-certificate command sets the local device to always use the identity information obtained from the local certificate. • If the ike signature-identity from-certificate command is not set, the local-identity command configuration, if configured, takes precedence over the ike identity command configuration. Examples # Set the IP address 2.2.2.2 as the identity. system-view [sysname] ike identity address 2.2.2.2 Related commands • local-identity • ike signature-identity from-certificate ike invalid-spi-recovery enable Use ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery. Use undo ike invalid-spi-recovery enable to restore the default. Syntax ike invalid-spi-recovery enable undo ike invalid-spi-recovery enable Default SPI recovery is disabled. Views System view Predefined user roles network-admin Usage guidelines IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an SPI invalid notification to the data originator. This notification is sent by using the IKE SA. When no IKE SA is available, the notification is not sent. The originating peer continues sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic. 288