ipsec sa global anti-replay

Function

The ipsec sa global anti-replay window command sets the IPSec anti-replay window size globally.

The undo ipsec sa global anti-replay window command restores the global anti-replay window size to default configuration.

The ipsec sa global anti-replay disable command cancels the anti-replay function globally.

The undo ipsec sa global anti-replay disable command starts the anti-replay function globally.

By default, ipsec sa global anti-replay window size is enabled globally, and the global anti-replay window size is 1024.

This command is supported only on the NetEngine 8000 F1A.

Format

ipsec sa global anti-replay { disable | window { window-size } }

undo ipsec sa global anti-replay { disable | window }

Parameters

Parameter	Description	Value
disable	Disables the anti-replay function globally.	-
window-size	Indicates the anti-replay window size.	It is an integer and can take any one the following values: 32,64,128,256,512 or 1024.

Parameter

Description

Value

disable

Disables the anti-replay function globally.

window-size

Indicates the anti-replay window size.

It is an integer and can take any one the following values: 32,64,128,256,512 or 1024.

Views

System view

Default Level

2: Configuration level

Task Name and Operations

Task Name	Operations
ike	write

Usage Guidelines

During global inspection of packet sequence number, disable ipsec sa global anti-replay switch if there are packet loss and at the same time a lot of replay tunnel releases. If the number of tunnel replay packet loss is less, you can refer to the policy under heavy anti-replay switch.

If the current network is subjected to replay attacks, you can open the anti-replay switch. If the existing network scenario is more complex, such that the normal sequence of packets cannot be reached, you can turn off the anti-replay switch.

Example

# Set the IPSec anti-replay window size as 512.

<HUAWEI> system-view
[~HUAWEI] ipsec sa global anti-replay window 512