HP 6125XLG R2306-HP 6125XLG Blade Switch Security Command Reference - Page 298

The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up. Use caution when enabling the invalid SPI recovery feature because using this feature can result in a DoS attack. Attackers can fabric a great number of invalid SPI notifications to the same peer. Examples # Enable invalid SPI recovery. system-view [Sysname] ike invalid-spi-recovery enable ike keepalive interval Use ike keepalive interval to enable sending IKE keepalives and set the sending interval. Use undo ike keepalive interval to restore the default. Syntax ike keepalive interval seconds undo ike keepalive interval Default No IKE keepalives are sent. Views System view Predefined user roles network-admin Parameters seconds: Specifies the number of seconds between IKE keepalives, in the range of 20 to 28800. Usage guidelines To detect the status of the peer, configure IKE DPD instead of the IKE keepalive function unless IKE DPD is not supported on the peer. The keepalive timeout time configured at the local must be longer than the keepalive interval configured at the peer. Since it seldom occurs that more than three consecutive packets are lost on a network, you can set the keepalive timeout three times as long as the keepalive interval. Examples # Set the keepalive interval to 200 seconds system-view [Sysname] ike keepalive interval 200 Related commands ike keepalive timeout ike keepalive timeout Use ike keepalive timeout to set the IKE keepalive timeout time. 289