Ike Limit; Ike Logging Negotiation Enable - H3C MSR Series Command Reference Manual

Comware 7 security

Hide thumbs Also See for MSR Series:

Table of Contents

ike limit

Use ike limit to set the maximum number of half-open or established IKE SAs.

Use undo ike limit to restore the default.

ike limit { max-negotiating-sa negotiation-limit | max-sa sa-limit }

undo ike limit { max-negotiating-sa | max-sa }

There is no limit to the maximum number of half-open or established IKE SAs.

Predefined user roles

network-admin

max-negotiating-sa negotiation-limit: Specifies the maximum number of half-open IKE SAs and

IPsec SAs. The value range for the negotiation-limit argument is 1 to 99999.

max-sa sa-limit: Specifies the maximum number of established IKE SAs. The value range for the

sa-limit argument is 1 to 99999.

Usage guidelines

The supported maximum number of half-open IKE SAs depends on the device's processing

capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's

processing capability without affecting the IKE SA negotiation efficiency.

The supported maximum number of established IKE SAs depends on the device's memory space.

Adjust the maximum number of established IKE SAs to make full use of the device's memory space

without affecting other applications in the system.

# Set the maximum number of half-open IKE SAs and IPsec SAs to 200.

<Sysname> system-view

[Sysname] ike limit max-negotiating-sa 200

# Set the maximum number of established IKE SAs to 5000.

<Sysname> system-view

[Sysname] ike limit max-sa 5000

Use ike logging negotiation enable to enable logging for IKE negotiation.

Use undo ike logging negotiation packet enable to disable logging for IKE negotiation.

ike logging negotiation enable

undo ike logging negotiation enable

Logging for IKE negotiation is disabled.