< Home

sa keep-holding-to hard-duration

Function

The sa keep-holding-to hard-duration command configures the device to delete the original IPSec SA after the hard lifetime expires during IPSec SA re-negotiation.

The undo sa keep-holding-to hard-duration command configures the device to delete the original IPSec SA immediately after it uses the new IPSec SA to transmit data during IPSec SA re-negotiation.

By default, during IPSec SA re-negotiation, the device deletes the original IPSec SA immediately after using the new IPSec SA to transmit data.

Format

sa keep-holding-to hard-duration

undo sa keep-holding-to hard-duration

Parameters

None

Views

ISAKMP IPSec policy view, IPSec policy template view

Default Level

2: Configuration level

Usage Guidelines

Usage Scenario

After a new IPSec SA is negotiated, if the peer device still uses the original IPSec SA to transmit data while the local device deletes the original IPSec SA immediately after using the new IPSec SA to transmit data, the IPSec SAs on the two devices will be different. This will cause IPSec traffic interruption. In this case, you are advised to run the sa keep-holding-to hard-duration command to enable the local device to delete the original IPSec SA after the hard lifetime expires.

Precautions

This command takes effect only for IPSec SAs established through IKEv1 negotiation.

Example

# Configure the device to delete the original IPSec SA after the hard lifetime expires during IPSec SA re-negotiation.

<sysname> system-view
[sysname] ipsec policy policy1 1 isakmp
[sysname-ipsec-policy-isakmp-policy1-1] sa keep-holding-to hard-duration
Parent Topic: IPSec Configuration Commands
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >