Table of Contents
Advertisement
3Com Command Reference Guide — V1.00
4.1.29 ipsec sa dynamic-detect
Syntax
ipsec sa dynamic-detect
undo ipsec sa dynamic-detect
View
System view
Parameter
None
Description
Using the ipsec sa dynamic-detect command, you can enable the tunnel to detect
the reachability of the remote route. Using the undo ipsec sa dynamic-detect
command, you can disable the tunnel to detect the reachability of the remote route.
By default, the reachability of the remote route is not detected by the tunnel.
The command is applied to the operating system IPSec and crypto card.
With this command, you can decide whether or not to enable the tunnel to detect the
reachability of the remote route when timeout occurs at the second stage of IPSec
negotiation.
When a main link and a backup link exist between the routers, both ends will create
SAs in IKE mode dynamically. Once the main link goes into down state, the
communication will be performed on the backup link automatically, in this case, a new
SA pair corresponding to the backup link will be created (including the SAs at the first
stage and the second stage), but the previous SA pair on the main link is not deleted
in time. Once the SA at the second stage on the main link timeouts and is released
(SA at the first stage still exists), the communication will be performed on the main
link again if the main link restores, which may result in the inconsistency of the SAs at
the first stage saved on both the local and the remote routers and the IPSec tunnel
cannot be established. After the detect is enabled, it can be ensured that the SA at
the first stage will be released when the SA at the second stage is released, so as to
make sure that a new SA pair will be reestablished when the main link is in up state.
In this way, the IPSec tunnel can be created correctly.
For related commands, see ipsec sa global-duration.
72
- Quick Links:
- Command Line Interface Commands
Hide quick links:
Advertisement
Chapters
Table of Contents
