session (Security IKE)
Syntax
session { full-open { incoming-exchange-max-rates { ike-rekey value; ipsec-rekey value; keepalive value; } } half-open { timeout seconds; backoff-timeouts { init-phase-failure value; auth-phase-failure value; } discard-duplicate; max-count value; thresholds { send-cookie count; reduce-timeout count timeout seconds; } } }
Hierarchy Level
[edit security ike]
Description
Defines IKE session configuration.
In the configuration hierarchy, you can set the system level parameters of the IKE session to manage the behavior of the negotiations with the remote peer. You configure these settings to control high load scenarios.
Options
full-open |
Define the full open IKE session parameters. |
half-open |
Define the half open IKE session parameters. |
incoming-exchange-max-rates |
Define the full open IKE session incoming exchange maximum rates. You can use this parameter to set the maximum rates for various exchanges initiated by the remote peer after establishing an IKE SA. |
ike-rekey value |
Specify the value of the incoming peer initiated IKE rekey maximum rate.
|
ipsec-rekey value |
Specify the value of the incoming peer initiated IPsec SA rekey maximum rate.
|
keepalive value |
Specify the value of the incoming peer initiated keepalive, also knows as DPD, maximum rate.
|
backoff-timeouts |
Define the half-open IKE session backoff timeouts. You set these timeouts to allow a duration for the remote peer to back off in the event of a session initiation failure, ensuring that the same peer cannot initiate a new session initiation request immediately during that period. After the backoff timeout, the peer can initiate a new session. |
auth-phase-failure value |
Specify the backoff timeout when there's a failure during the IKE_AUTH phase.
|
init-phase-failure value |
Specify the backoff timeout when there's a failure during the IKE_INIT phase.
|
discard-duplicate |
Discard duplicate IKE session initiation requests from the peer. Discard the IKE initiation requests without sending any response, when the half open IKE SA is already present for the same remote peer.
|
max-count value |
Maximum numbers of half open IKE sessions where the local end is the responder.
|
thresholds |
Define the half open IKE session thresholds. You can set the limits on half open IKE SA count for actions against new a connection. The values denote percentage of the total half open IKE SAs. If you set the |
reduce-timeout count |
Specify the minimum number of half open IKE sessions for enforcing reduce-timeout action. Sets a limit from which the lifetime of new half open IKE SAs will be reduced.
|
timeout seconds |
Specify the reduced timeout value.
|
send-cookie count |
Specify the minimum number of half open IKE sessions for enforcing cookie action. Specify the threshold limit from which the system requests remote peers to retry session initiation with a cookie sent back to the peer in the initial response.
|
timeout seconds |
Specify the half open IKE session timeout. This is the lifetime value of a half-open IKE SA (applicable for both initiator and responder). Specify the threshold limit from which the system requests remote peers to retry session initiation with a cookie sent back to the peer in the initial response.
|
The remaining statements are explained separately. See CLI Explorer.
Required Privilege Level
security—To view this statement in the configuration.
security-control—To add this statement to the configuration.
Release Information
session
statement introduced in Junos OS Release 23.4R1.