The ipsec np-sa delete quick command enables the function of quickly deleting the IPSec SA on the NP chip.
The undo ipsec np-sa delete quick command disables the function of quickly deleting the IPSec SA on the NP chip.
By default, the function of quickly deleting the IPSec SA on the NP chip is disabled.
Usage Scenario
This command is supported in V600R007C20SPC600 and later versions.
After the IPSec tunnel is torn down or re-negotiated, the SA is deleted after a period of time to ensure that encrypted packets on the link can still be decrypted after reaching the local device. After the ipsec np-sa delete quick command is run, the SA on the NP chip is deleted immediately after the IPSec tunnel is torn down. However, the SA on the CPU is deleted after a delay time.
Precautions
If IPSec intelligent uplink steering and sticky load balancing functions are enabled on the peer device and IPSec hardware-based fast forwarding is enabled on the local device, traffic cannot be forwarded after an IPSec link switchover in some extreme cases. To solve this problem, run the ipsec np-sa delete quick command. In other cases, you are advised not to enable this function.