274which it cannot find an SA, an invalid SPI is encountered. The peer drops the data packet and tries tosend an SPI invalid notification to the data originator. This notification is sent by using the IKE SA.Because no IKE SA is available, the notification is not sent. The originating peer continues sending thedata by using the IPsec SA that has the invalid SPI, and the receiving peer keeps dropping the traffic.The invalid SPI recovery feature enables the receiving peer to set up an IKE SA with the originator so thatan SPI invalid notification can be sent. Upon receiving the notification, the originating peer deletes theIPsec SA that has the invalid SPI. If the originator has data to send, new SAs will be set up.Use caution when enabling the invalid SPI recovery feature because using this feature can result in a DoSattack. Attackers can fabric a great number of invalid SPI notifications to the same peer.To enable invalid SPI recovery:Step Command Remarks1. Enter system view. system-view N/A2. Enable invalid SPI recovery. ike invalid-spi-recovery enable By default, the invalid SPI recoveryis disabled.Setting the maximum number of IKE SAsYou can set the maximum number of half-open IKE SAs and the maximum number of established IKE SAs.• The supported maximum number of half-open IKE SAs depends on the device's processingcapability. Adjust the maximum number of half-open IKE SAs to make full use of the device'sprocessing capability without affecting the IKE SA negotiation efficiency.• The supported maximum number of established IKE SAs depends on the device's memory space.Adjust the maximum number of established IKE SAs to make full use of the device's memory spacewithout affecting other applications in the system.To set the maximum number of IKE SAs:Step Command Remarks1. Enter system view. system-view N/A2. Set the maximum number ofhalf-open IKE SAs and themaximum number ofestablished IKE SAs.ike limit { max-negotiating-sanegotiation-limit | max-sasa-limit }By default, there is no limit to themaximum number of IKE SAs.Displaying and maintaining IKEExecute display commands in any view and reset commands in user view.Task CommandDisplay configuration information about all IKEproposals. display ike proposalDisplay information about the current IKE SAs.display ike sa [ verbose [ connection-id connection-id| remote-address [ ipv6 ] remote-address[ vpn-instance vpn-name ] ] ]