R21xx-HP FlexFabric 11900 Security Command Reference
244
Use caution when enabling the invalid SPI recovery feature because using this feature can result in a DoS
attack. Attackers can fabric a great number of invalid SPI notifications to the same peer.
Examples
# Enable invalid SPI recovery.
<Sysname> system-view
[Sysname] ike invalid-spi-recovery enable
ike keepalive interval
Use ike keepalive interval to enable sending IKE keepalive messages and set the sending interval.
Use undo ike keepalive interval to restore the default.
Syntax
ike keepalive interval seconds
undo ike keepalive interval
Default
No IKE keepalive messages are sent.
Views
System view
Predefined user roles
network-admin
Parameters
seconds: Specifies the number of seconds between IKE keepalive messages, in the range of 20 to
28800.
Usage guidelines
To detect the status of the peer, configure IKE DPD instead of the IKE keepalive function unless IKE DPD
is not supported on the peer.
The keepalive timeout time configured at the local must be longer than the keepalive interval configured
at the peer. Since it seldom occurs that more than three consecutive packets are lost on a network, you
can set the keepalive timeout three times as long as the keepalive interval.
Examples
# Set the keepalive interval to 200 seconds
<Sysname> system-view
[Sysname] ike keepalive-timer interval 200
Related commands
ike keepalive timeout
ike keepalive timeout
Use ike keepalive timeout to set the IKE keepalive timeout time.
Use undo ike keepalive timeout to restore the default.