End-of-Life (EoL)

Cookie Activation Threshold and Strict Cookie Validation

Cookie validation is always enabled for IKEv2; it helps protect against half-SA DoS attacks. You can configure the global threshold number of half-open SAs that will trigger cookie validation. You can also configure individual IKE gateways to enforce cookie validation for every new IKEv2 SA.
  • The
    Cookie Activation Threshold
    is a global VPN session setting that limits the number of simultaneous half-opened IKE SAs (default is 500). When the number of half-opened IKE SAs exceeds the
    Cookie Activation Threshold
    , the Responder will request a cookie, and the Initiator must respond with an IKE_SA_INIT containing a cookie to validate the connection. If the cookie validation is successful, another SA can be initiated. A value of 0 means that cookie validation is always on.
    The Responder does not maintain a state of the Initiator, nor does it perform a Diffie-Hellman key exchange, until the Initiator returns the cookie. IKEv2 cookie validation mitigates a DoS attack that would try to leave numerous connections half open.
    The
    Cookie Activation Threshold
    must be lower than the
    Maximum Half Opened SA
    setting. If you Change the Cookie Activation Threshold for IKEv2 to a very high number (for example, 65534) and the
    Maximum Half Opened SA
    setting remained at the default value of 65535, cookie validation is essentially disabled.
  • You can enable
    Strict Cookie Validation
    if you want cookie validation performed for every new IKEv2 SA a gateway receives, regardless of the global threshold.
    Strict Cookie Validation
    affects only the IKE gateway being configured and is disabled by default. With
    Strict Cookie Validation
    disabled, the system uses the
    Cookie Activation Threshold
    to determine whether a cookie is needed or not.

Recommended For You