Enabling Invalid Spi Recovery - HP MSR Series Configuration Manual
Hpe flexnetwork msr router series
Hide thumbs
Also See for MSR Series:
- Configuration manual (889 pages) ,
- Command reference manual (684 pages) ,
- Wan access configuration manual (293 pages)
Table of Contents
Advertisement
1.
The local device sends a DPD message to the peer, and waits for a response from the peer.
2.
If the peer does not respond within the retry interval specified by the retry seconds parameter,
the local device resends the message.
3.
If still no response is received within the retry interval, the local end sends the DPD message
again. The system allows a maximum of two retries.
4.
If the local device receives no response after two retries, the device considers the peer to be
dead, and deletes the IKE SA along with the IPsec SAs it negotiated.
5.
If the local device receives a response from the peer during the detection process, the peer is
considered alive. The local device performs a DPD detection again when the triggering interval
is reached or it has traffic to send, depending on the DPD mode.
Follow these guidelines when you configure the IKE DPD function:
•
When DPD settings are configured in both IKE profile view and system view, the DPD settings
in IKE profile view apply. If DPD is not configured in IKE profile view, the DPD settings in system
view apply.
•
It is a good practice to set the triggering interval longer than the retry interval so that a DPD
detection is not triggered during a DPD retry.
To configure IKE DPD:
Step
1.
Enter system view.
2.
Enable sending IKE DPD
messages.
Enabling invalid SPI recovery
An IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot
occurs). One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data
packet for which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet
and tries to send an SPI invalid notification to the data originator. This notification is sent by using the
IKE SA. Because no IKE SA is available, the notification is not sent. The originating peer continues
sending the data by using the IPsec SA that has the invalid SPI, and the receiving peer keeps
dropping the traffic.
The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so
that an SPI invalid notification can be sent. Upon receiving the notification, the originating peer
deletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set
up.
Use caution when you enable the invalid SPI recovery feature because using this feature can result
in a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer.
To enable invalid SPI recovery:
Step
1.
Enter system view.
2.
Enable invalid SPI recovery.
Command
system-view
ike dpd interval interval-seconds
[ retry seconds ] { on-demand |
periodic }
Command
system-view
ike invalid-spi-recovery
enable
340
Remarks
N/A
By default, IKE DPD is
disabled.
Remarks
N/A
By default, the invalid SPI recovery
is disabled.
- Quick Links:
- Configuring Local Users
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
