Call Admission Control for IKE

There are two ways to limit the number of IKE SAs that a router can establish to or from another router:

• Configure the absolute IKE SA limit by entering the crypto call admission limit command. The router drops new IKE SA requests when the value has been reached.
• Configure the system resource limit by entering the call admission limit command. The router drops new IKE SA requests when the level of system resources that are configured in the unit of charge is being used.

CAC is applied only to new SAs (that is, when an SA does not already exist between the peers). Every effort is made to preserve existing SAs. Only new SA requests will ever be denied due to a lack of system resources or because the configured IKE SA limit has been reached.

An SA is a description of how two or more entities will utilize security services to communicate securely on behalf of a particular data flow. IKE requires and uses SAs to identify the parameters of its connections. IKE can negotiate and establish its own SA. An IKE SA is used by IKE only, and it is bidirectional. An IKE SA cannot limit IPsec.

IKE drops SA requests based on a user-configured SA limit. To configure an IKE SA limit, enter the crypto call admission limit command. When there is a new SA request from a peer router, IKE determines whether the number of active IKE SAs plus the number of SAs being negotiated meets or exceeds the configured SA limit. If the number is greater than or equal to the limit, the new SA request is rejected and a syslog is generated. This log contains the source destination IP address of the SA request.

The ipsec sa number and ike sa number keyword and argument pairs in the crypto call admission limitcommand set the limit for the number of established IPsec SAs and IKE SAs.

Effective with Cisco IOS Release 12.4(6)T, a limit on the number of in-negotiation IKE connections can be configured. This type of IKE connection represents either an aggressive mode IKE SA or a main mode IKE SA prior to its authentication and actual establishment.

Using the crypto call admission limit ike in-negotiation-sa number command allows the configured number of in-negotiation IKE SAs to start negotiation without contributing to the maximum number of IKE SAs allowed.

The all in-negotiation-sa number and ike in-negotiation-sa number keyword and argument pairs in the crypto call admission limit command limit all the SAs in negotiation and IKE SAs in negotiation.

CAC polls a global resource monitor so that IKE knows when the router is running short of CPU cycles or memory buffers. You can configure a limit, in the range 1 to 100000, that represents the level of system resource usage in system resource usage units. When that level of resources is being used, IKE drops (will not accept new) SA requests. To configure the system resource usage limit, enter the call admission limit command.

For each incoming new SA request, the current load on the router is converted into a numerical value, representing the system resource usage level, and is compared to the resource limit set by the call admission limit command. If the current load is more than the configured resource limit, IKE drops the new SA request. Load on the router includes active SAs, CPU usage, and SA requests being considered.

The call admission load command configures a multiplier value from 0 to 1000 that represents a scaling factor for current system resource usage and a load metric poll rate of 1 to 32 seconds. The numerical value for the system resource usage level is calculated by the formula (scaling factor * current system resource usage) / 100. It is recommended that the call admission load command not be used unless advised by a Cisco Technical Assistance Center (TAC) engineer.

1.    enable

2.    configure terminal

3.    crypto call admission limit {all in-negotiation-sa number | ipsec sa number | ike {in-negotiation-sa number | sa number}}

4.    exit

1.    enable

2.    configure terminal

3.    call admission limit charge

4.    exit

1.    show call admission statistics

2.    show crypto call admission statistics

Router# show call admission statistics
Total Call admission charges: 82, limit 1000
Total calls rejected 1430, accepted 0
Load metric: charge 82, unscaled 82%

Router# show crypto call admission statistics
---------------------------------------------------------------------
               Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit:      111 Max IKE SAs:     0 Max in nego:  1000
Total IKE SA Count:           0 active:          0 negotiating:     0
Incoming IKE Requests:        0 accepted:        0 rejected:        0
Outgoing IKE Requests:        0 accepted:        0 rejected:        0
Rejected IKE Requests:        0 rsrc low:        0 Active SA limit: 0
                                                   In-neg SA limit: 0
IKE packets dropped at dispatch:        0
Max IPSEC SAs:   111
Total IPSEC SA Count:           0 active:          0 negotiating:     0
Incoming IPSEC Requests:        0 accepted:        0 rejected:        0
Outgoing IPSEC Requests:        0 accepted:        0 rejected:        0
Phase1.5 SAs under negotiation:         0