< Home

ipsec share-flow recover enable

Function

The ipsec share-flow recover enable command enables automatic restoration of lost IPSec flows.

The undo ipsec share-flow recover enable command disables automatic restoration of lost IPSec flows.

By default, automatic restoration of lost IPSec flows is enabled.

Format

ipsec share-flow recover enable

undo ipsec share-flow recover enable

Parameters

None

Views

System view

Default Level

2: Configuration level

Usage Guidelines

Application Scenarios

In IPSec service scenarios, existing to-be-encrypted data flows may be lost due to device faults and cannot be automatically restored. The device has no corresponding notification information, causing faults of this type to be discovered only after the service is compromised.

In a scenario where automatic restoration of lost IPSec flows is enabled, and the device serves as the template end, if the system discovers that certain flows are lost, the system queries and re-acquires flow table information from the IKE process or other CPUs to automatically restore lost flow table information and record log information IPSEC_ADP/4/FLOWSELFHEAL.

Precautions
  • This function can only be triggered by IPSec service packets in to-be-encrypted data flows that are lost.
  • This function cannot restore ACL configuration information lost due to device faults. If IPSec flows are lost due to such reasons, you must reconfigure and bind to interface IPSec policies to address the issue.
  • In certain scenarios, this function is triggered by failures in IPSec decrypted packets inspection. The IPSec decrypted packets inspection function must be enabled. If the IPSec decrypted packets inspection function is disabled, automatic restoration of lost IPSec flows triggered by this function becomes invalid. You can run the ipsec decryp check command to enable the IPSec decrypted packets inspection function.
  • This function affects the channel performance and throughput of the device during operation.

Example

# Enable automatic restoration of lost IPSec flows.

<sysname> system-view
[sysname] ipsec share-flow recover enable
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >