Cisco Cisco Packet Data Interworking Function (PDIF) Guía Para Resolver Problemas
Crypto Template Configuration Mode Commands
▀ dos cookie-challenge notify-payload
▄ Cisco ASR 5000 Series Command Line Interface Reference
OL-22948-01
dos cookie-challenge notify-payload
Configure the cookie challenge params for IKEv2 INFO Exchange notify payloads for the given crypto template.
Product
PDIF
Privilege
Security Administrator, Administrator
Syntax
Default is to disabled condition.
Prevents Denial of Service cookie transmission. This is the default condition.
The
is the number of half-open sessions per IPsec
manager. A session is defined as half-open if a PDIF has responded to an IKEv2 INIT Request with an IKEv2
INIT Response, but no further message was received on that particular IKE SA.
INIT Response, but no further message was received on that particular IKE SA.
start - The functionality will start when the current half-open-sess-count exceeds the start count. The
start count is an integer from 0 to 100000.
stop - The functionality will stop when the current half-open-sess-count drops below the stop count.
The stop count number is an integer from 0 to 100000. It is always less than or equal to the start
count number
count number
Important:
The start count value 0 is a special case whereby this feature is always enabled. In this event, both
and
must be 0.
Usage
This feature (which is disabled by default) helps prevent malicious Denial of Service attacks against the
server by sending a challenge cookie. If the response from the sender does not incorporate the expected
cookie data, the packets are dropped.
server by sending a challenge cookie. If the response from the sender does not incorporate the expected
cookie data, the packets are dropped.
Example
The following example configures the cookie challenge to begin when the half-open-sess-count reaches 50000 and stops
when it drops below 20000:
The following example configures the cookie challenge to begin when the half-open-sess-count reaches 50000 and stops
when it drops below 20000: