Specify a maximum number of IKEv2 half-open IKE SAs allowed per firewall, above which cookie validation is triggered. When the number of half-open IKE SAs exceeds the Cookie Activation Threshold, the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie. If the cookie validation is successful, another SA session can be initiated.

A value of 0 means that cookie validation is always on.

The Cookie Activation Threshold is a global firewall setting and should be lower than the Maximum Half Opened SA setting, which is also global (range is 0 to 65535; default is 500).

Specify the maximum number of IKEv2 half-open IKE SAs that Initiators can send to the firewall without getting a response. Once the maximum is reached, the firewall will not respond to new IKE_SA_INIT packets (range is 1 to 65535; default is 65535).