session (Security IKE)

Syntax

Hierarchy Level

Description

Defines IKE session configuration.

In the configuration hierarchy, you can set the system level parameters of the IKE session to manage the behavior of the negotiations with the remote peer. You configure these settings to control high load scenarios.

Options

full-open	Define the full open IKE session parameters.
half-open	Define the half open IKE session parameters.
incoming-exchange-max-rates	Define the full open IKE session incoming exchange maximum rates. You can use this parameter to set the maximum rates for various exchanges initiated by the remote peer after establishing an IKE SA.
ike-rekey `value`	Specify the value of the incoming peer initiated IKE rekey maximum rate. Format: Specify the value in [`count`]/[`duration in seconds`] format. Value: Range is [1 – 86400] / [1 – 86400].
ipsec-rekey `value`	Specify the value of the incoming peer initiated IPsec SA rekey maximum rate. Format: Specify the value in [`count`]/[`duration in seconds`] format. Value: Range is [1 – 86400] / [1 – 86400].
keepalive `value`	Specify the value of the incoming peer initiated keepalive, also knows as DPD, maximum rate. Format: Specify the value in [`count`]/[`duration in seconds`] format. Value: Range is [1 – 86400] / [1 – 86400].
backoff-timeouts	Define the half-open IKE session backoff timeouts. You set these timeouts to allow a duration for the remote peer to back off in the event of a session initiation failure, ensuring that the same peer cannot initiate a new session initiation request immediately during that period. After the backoff timeout, the peer can initiate a new session.
auth-phase-failure `value`	Specify the backoff timeout when there's a failure during the IKE_AUTH phase. Value: Range is 1 - 180 seconds. Default: Disabled
init-phase-failure `value`	Specify the backoff timeout when there's a failure during the IKE_INIT phase. Value: Range is 1 - 180 seconds. Default: Disabled
discard-duplicate	Discard duplicate IKE session initiation requests from the peer. Discard the IKE initiation requests without sending any response, when the half open IKE SA is already present for the same remote peer. Default: Disabled
max-count `value`	Maximum numbers of half open IKE sessions where the local end is the responder. Value: 1-10000 Default: 300
thresholds	Define the half open IKE session thresholds. You can set the limits on half open IKE SA count for actions against new a connection. The values denote percentage of the total half open IKE SAs. If you set the `max-count` explicitly, it automatically disables all thresholds unless you configure explicitly.
reduce-timeout `count`	Specify the minimum number of half open IKE sessions for enforcing reduce-timeout action. Sets a limit from which the lifetime of new half open IKE SAs will be reduced. Value: Range is 1 - 10000. Default: Disabled
timeout `seconds`	Specify the reduced timeout value. Value: Range is 1 - 180 seconds. Default: Disabled
send-cookie `count`	Specify the minimum number of half open IKE sessions for enforcing cookie action. Specify the threshold limit from which the system requests remote peers to retry session initiation with a cookie sent back to the peer in the initial response. Value: Range is 1 - 10000. Default: 250. If you configure `max-count`, it is disabled unless explicitly configured.
timeout `seconds`	Specify the half open IKE session timeout. This is the lifetime value of a half-open IKE SA (applicable for both initiator and responder). Specify the threshold limit from which the system requests remote peers to retry session initiation with a cookie sent back to the peer in the initial response. Value: Range is 1 - 180 seconds. Default: 60

The remaining statements are explained separately. See CLI Explorer.

Required Privilege Level

security—To view this statement in the configuration.

security-control—To add this statement to the configuration.

Release Information

session statement introduced in Junos OS Release 23.4R1.

ON THIS PAGE