Enabling invalid spi recovery, Setting the maximum number of ike sas, Configuring snmp notifications for ike – H3C Technologies H3C S12500-X Series Switches User Manual

160

109B

Enabling invalid SPI recovery

An IPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs).
One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet for which

it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries to send an

SPI invalid notification to the data originator. This notification is sent by using the IKE SA. Because no IKE

SA is available, the notification is not sent. The originating peer continues sending the data by using the
IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.
The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so that

an SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes the

IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up.
Use caution when you enable the invalid SPI recovery feature because using this feature can result in a

DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer.
To enable invalid SPI recovery:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Enable invalid SPI recovery.

ike invalid-spi-recovery enable

By default, the invalid SPI recovery
is disabled.

110B

Setting the maximum number of IKE SAs

You can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs.

•

The supported maximum number of half-open IKE SAs depends on the device's processing

capability. Adjust the maximum number of half-open IKE SAs to make full use of the device's
processing capability without affecting the IKE SA negotiation efficiency.

•

The supported maximum number of established IKE SAs depends on the device's memory space.
Adjust the maximum number of established IKE SAs to make full use of the device's memory space

without affecting other applications in the system.

To set the limit on the number of IKE SAs:

Step Command

Remarks

1.

Enter system view.

system-view

N/A

2.

Set the maximum number of
half-open IKE SAs and the

maximum number of

established IKE SAs.

ike limit { max-negotiating-sa
negotiation-limit | max-sa

sa-limit }

By default, there is no limit to the
maximum number of IKE SAs.

111B

Configuring SNMP notifications for IKE

After you enable SNMP notifications for IKE, the IKE module notifies the NMS of important module events.

The notifications are sent to the device's SNMP module. You can configure the notification transmission

parameters for the SNMP module to specify how the SNMP module displays notifications. For more