591 system-view[sysname] ike identity address 2.2.2.2Related commandslocal-identityike signature-identity from-certificateike invalid-spi-recovery enableUse ike invalid-spi-recovery enable to enable invalid security parameter index (SPI) recovery.Use undo ike invalid-spi-recovery enable to disable invalid SPI recovery.Syntaxike invalid-spi-recovery enableundo ike invalid-spi-recovery enableDefaultInvalid SPI recovery is disabled.ViewsSystem viewPredefined user rolesnetwork-adminUsage guidelinesIPsec "black hole" occurs when one IPsec peer fails (for example, a peer can fail if a reboot occurs).One peer fails and loses its SAs with the other peer. When an IPsec peer receives a data packet forwhich it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries tosend an SPI invalid notification to the data originator. This notification is sent by using the IKE SA.When no IKE SA is available, the notification is not sent. The originating peer continues sending thedata by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator sothat an SPI invalid notification can be sent. Upon receiving the notification, the originating peerdeletes the IPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be setup.Use caution when you enable the invalid SPI recovery feature, because using this feature can resultin a DoS attack. Attackers can make a great number of invalid SPI notifications to the same peer.Examples# Enable invalid SPI recovery. system-view[Sysname] ike invalid-spi-recovery enableike keepalive intervalUse ike keepalive interval to set the IKE keepalive interval.Use undo ike keepalive interval to restore the default.Syntaxike keepalive interval intervalundo ike keepalive interval