Internet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS XE Release 3S
Call Admission Control for IKE
Download this chapter
Call Admission Control for IKECall Admission Control for IKE
Download the complete book
Internet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS XE Release 3SInternet Key Exchange for IPsec VPNs Configuration Guide, Cisco IOS XE Release 3S (PDF - 850 KB)
 Feedback

Contents

Call Admission Control for IKE

Last Updated: December 3, 2012

The Call Admission Control for IKE feature describes the application of Call Admission Control (CAC) to the Internet Key Exchange (IKE) protocol in Cisco IOS software. CAC limits the number of simultaneous IKE security associations (SAs) (that is, calls to CAC) that a device can establish.

Finding Feature Information

Your software release may not support all the features documented in this module. For the latest caveats and feature information, see Bug Search Tool and the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the feature information table at the end of this module.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Prerequisites for Call Admission Control for IKE

  • Configure IKE on the device.

Information About Call Admission Control for IKE

IKE Session

There are two ways to limit the number of Internet Key Exchange (IKE) security associations (SAs) that a device can establish to or from another device:

  • Configure the absolute IKE SA limit by entering the crypto call admission limit command. The device drops new IKE SA requests when the configured limit is reached.
  • Configure the system resource limit by entering the call admission limit command. The device drops new IKE SA requests when the level of system resources that are configured in the unit of charge is being used.

Call Admission Control (CAC) is applied only to new SAs (that is, when an SA does not already exist between peers). Every effort is made to preserve existing SAs. New SA requests are denied due to a lack of system resources or because the configured IKE SA limit is reached.

Security Association Limit

A security association (SA) is a description of how two or more entities will utilize security services to communicate securely on behalf of a particular data flow. Internet Key Exchange (IKE) requires and uses SAs to identify the parameters of its connections. IKE can negotiate and establish its own SA. An IKE SA is used by IKE only, and it is bidirectional. An IKE SA cannot limit IPsec.

IKE drops SA requests based on a user-configured SA limit. To configure an IKE SA limit, enter the crypto call admission limit command. When there is a new SA request from a peer device, IKE determines if the number of active IKE SAs and the number of SAs being negotiated meets or exceeds the configured SA limit. If the number is greater than or equal to the limit, the new SA request is rejected and a syslog is generated. This log contains the source and destination IP addresses of the SA request.

Limit on Number of In-Negotiation IKE Connections

A limit on the number of in-negotiation IKE connections can be configured. This type of IKE connection represents either an aggressive mode IKE SA or a main mode IKE SA prior to its authentication and actual establishment.

Using the crypto call admission limit ike in-negotiation-sa number command allows the configured number of in-negotiation IKE SAs to start negotiation without contributing to the maximum number of IKE SAs allowed.

System Resource Usage

Call Admission Control (CAC) polls a global resource monitor so that Internet Key Exchange (IKE) knows when the device is running short of CPU cycles or memory buffers. You can configure a limit, in the range to 100000, that represents the level of system resource usage in system resource usage units. When the configured level of resources is being used, IKE drops (will not accept new) SA requests. To configure the system resource usage limit, enter the call admission limit command.

For each incoming new SA request, the current load on the device is converted into a numerical value, representing the system resource usage level, and is compared to the resource limit set by the call admission limit command. If the current load is more than the configured resource limit, IKE drops the new SA request. The load on the device includes active SAs, CPU usage, and SA requests being considered.

Use the call admission load command to configure a multiplier value from 0 to 1000 that represents a scaling factor for the current system resource usage and a load metric poll rate of 1 to 32 seconds. The numerical value for the system resource usage level is calculated by the formula (scaling factor * current system resource usage) / 100. It is recommended that the call admission load command not be used unless advised by a Cisco Technical Assistance Center (TAC) engineer.

How to Configure Call Admission Control for IKE

Configuring the IKE Security Association Limit

Perform this task to configure the absolute IKE SA limit. The device drops new IKE SA requests when the limit has been reached.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    crypto call admission limit {ike {in-negotiation-sa number | sa number}}

4.    exit


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
crypto call admission limit {ike {in-negotiation-sa number | sa number}}


Example:

Device(config)# crypto call admission limit ike sa 25

 

Specifies the maximum number of IKE SAs that the device can establish before IKE begins rejecting new SA requests.

 
Step 4
exit


Example:

Device(config)# exit

 

Returns to privileged EXEC mode.

 

Configuring the System Resource Limit

Perform this task to configure the system resource limit. The device drops new IKE SA requests when the level of system resources that are configured in the unit of charge is being used.

SUMMARY STEPS

1.    enable

2.    configure terminal

3.    call admission limit charge

4.    exit


DETAILED STEPS
 Command or ActionPurpose
Step 1
enable


Example:

Device> enable

 

Enables privileged EXEC mode.

  • Enter your password if prompted.
 
Step 2
configure terminal


Example:

Device# configure terminal

 

Enters global configuration mode.

 
Step 3
call admission limit charge


Example:

Device(config)# call admission limit 1000

 

Sets the level of the system resources that, when used, causes IKE to stop accepting new SA requests.

  • charge --Valid values are 1 to 100000.
Note   See "System Resource Usage"
 
Step 4
exit


Example:

Device(config)# exit

 

Returns to privileged EXEC mode.

 

Verifying the Call Admission Control for IKE Configuration

To verify the CAC for IKE configuration, perform the following steps.

SUMMARY STEPS

1.    show call admission statistics

2.    show crypto call admission statistics


DETAILED STEPS
Step 1   show call admission statistics

Use this command to monitor the global CAC configuration parameters and the behavior of CAC.



Example: 
Device# show call admission statistics
Total Call admission charges: 82, limit 1000
Total calls rejected 1430, accepted 0
Load metric: charge 82, unscaled 82%
Step 2   show crypto call admission statistics

Use this command to monitor crypto CAC statistics.



Example: 
Device# show crypto call admission statistics
 
---------------------------------------------------------------------
               Crypto Call Admission Control Statistics
---------------------------------------------------------------------
System Resource Limit: 90 Max IKE SAs: 0 Max in nego: 25
Total IKE SA Count: 359 active: 338 negotiating: 21
Incoming IKE Requests:    1297 accepted:      166 rejected: 1131
Outgoing IKE Requests:    1771 accepted:      195 rejected: 1576
Rejected IKE Requests:    2707 rsrc low:      1314 SA limit: 1393

Configuration Examples for Call Admission Control for IKE

Example: Configuring the IKE Security Association Limit

The following example shows how to specify that there can be a maximum of 25 SAs before IKE starts rejecting new SA requests: 

Device(config)# crypto call admission limit ike sa 25

Example: Configuring the System Resource Limit

The following example shows how to specify that IKE should drop SA requests when the level of system resources that are configured in the unit of charge reaches 9000: 

Device(config)# call admission limit 9000

Additional References for Call Admission Control for IKE

Related Documents

Related Topic

Document Title

Cisco IOS commands

Cisco IOS Master Command List, All Releases

Security commands

IPsec configuration

Configuring Security for VPNs with IPsec

Standards and RFCs

Standard/RFC

Title

RFC 2409

The Internet Key Exchange

Technical Assistance

Description

Link

The Cisco Support and Documentation website provides online resources to download documentation, software, and tools. Use these resources to install and configure the software and to troubleshoot and resolve technical issues with Cisco products and technologies. Access to most tools on the Cisco Support and Documentation website requires a Cisco.com user ID and password.

http://www.cisco.com/cisco/web/support/index.html

Feature Information for Call Admission Control for IKE

The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.

Use Cisco Feature Navigator to find information about platform support and Cisco software image support. To access Cisco Feature Navigator, go to www.cisco.com/go/cfn. An account on Cisco.com is not required.

Table 1Feature Information for Call Admission Control for IKE

Feature Name

Releases

Feature Information

Call Admission Control for IKE

Cisco IOS XE Release 2.1

The Call Admission Control for IKE feature describes the application of Call Admission Control (CAC) to the Internet Key Exchange (IKE) protocol in Cisco IOS software. CAC limits the number of simultaneous IKE security associations (SAs) (that is, calls to CAC) that a device can establish.

The following commands were introduced or modified: call admission limit, clear crypto call admission statistics, crypto call admission limit, show call admission statistics, show crypto call admission statistics.

Ability to Configure a Limit on the Number of In-negotiation IKE Connections

Cisco IOS XE Release 2.1

The Ability to Configure a Limit on the Number of In-negotiation IKE Connections feature allows you to limit the number of in-negotiation IKE connections.

The following command was introduced or modified: crypto call admission limit.

IKEv1 Hardening

Cisco IOS XE Release 3.8S

The IKEv1 Hardening feature describes the enhancements made to the CAC for IKE feature.

The following commands were introduced or modified: crypto call admission limit, show crypto call admission statistics.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)

Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.

© 2012 Cisco Systems, Inc. All rights reserved.