(Optional) Configuring Automatic Restoration of Lost IPSec Flows

The device automatically restores data flows for encryption that are lost due to device faults.

Context

In IPSec service scenarios, device faults may cause the loss of existing data flows for encryption and prevent their automatic restoration. The device does not provide corresponding notifications, and faults of this type are discovered only after the service is compromised.

After you configure automatic restoration of lost IPSec flows, the system queries and reacquires related flow table information from the IKE process or other CPUs to automatically restore lost flow tables and record logs.

Restrictions and Precautions

This function can only be triggered by IPSec service packets in data flows for encryption that are lost.
This function cannot restore ACL configuration information lost due to device faults. You must reconfigure IPSec policies and bind them to interfaces to address this issue.
In certain scenarios, this function is triggered by failures in IPSec decrypted packet inspection. In these scenarios, the IPSec decrypted packet inspection function must be enabled. Otherwise, automatic restoration of these flows does not function properly. You can run the ipsec decryp check command to enable the IPSec decrypted packets inspection function.
This function affects the channel performance and throughput of the device during operation.

Procedure

Run the system-view command to access the system view.
Run the ipsec share-flow recover enable command to enable automatic restoration of lost IPSec flows.
By default, automatic restoration of lost IPSec flows is enabled.

When this function is enabled and the device serves as the template end, if the system discovers that certain flows are lost, it queries and reacquires flow table information from the IKE process or other CPUs to automatically restore lost flow table information and record log information IPSEC_ADP/4/FLOWSELFHEAL.