The security acl-rule modification response disable command disables the device from immediately triggering IPSec tunnel re-negotiation after an ACL rule is modified.
The undo security acl-rule modification response disable command enables the device to immediately trigger IPSec tunnel re-negotiation after an ACL rule is modified.
By default, the device immediately triggers IPSec tunnel re-negotiation after an ACL rule is modified.
security acl-rule modification response disable
undo security acl-rule modification response disable
Usage Scenario
When multiple branches connect to the headquarters and the headquarters modifies an ACL rule, by default, the headquarters immediately triggers IPSec tunnel re-negotiation with all branches. As a result, IPSec traffic of the headquarters and all branches is interrupted for a short time. If you want only the IPSec tunnel between the headquarters and a certain branch to be re-negotiated after the ACL rule for this branch is modified in the headquarters, run the security acl-rule modification response disable command in the headquarters to disable the device from immediately triggering IPSec tunnel re-negotiation after an ACL rule is modified.
Precautions
This command does not apply to static route injection scenarios. This is because static routes are deleted immediately and new static routes are generated after the security acl-rule modification response disable command is executed.
If DSCP is not configured in the ACL rule of a branch to negotiate the setup of an IPSec tunnel with the headquarters, and the security acl-rule modification response disable command is executed in the headquarters, this command does not take effect if DSCP is configured or modified in the headquarters. That is, after the ACL rule is modified, the device immediately triggers IPSec tunnel re-negotiation.