IKEv2 SA-INIT Throttling in ePDG

Feature History

Table 1. Feature History
Feature Name

Description

Network Overload Protection in ePDG

This feature manages incoming IKEv2 SA-INIT requests during high Call Events Per Second (CEPS) condition and ensures system stability when the incoming subscriber connection rate increases.

CLI introduced: For enabling the feature, use either one of the commands:

  • network-overload-protection epdg-new-connections-per-second val action drop

  • network-overload-protection epdg-new-connections-per-second val action drop queue-size val wait-time val

For disabling the feature, use the default network-overload-protection epdg-new-connections-per-second command.

Overview

The Network overload protection mechanism in the ePDG (Evolved Packet Data Gateway) manages incoming IKEv2 SA-INIT requests during high Call Events Per Second (CEPS) conditions. This mechanism ensures system stability by implementing an IKEv2 SA-INIT request throttling process, which regulates the flow of incoming subscriber connections when the connection rate increases significantly.

How the throttling mechanism works

When the number of incoming subscribers connecting to the system increases significantly, it may lead to system instability, resulting in subscriber loss and decline in Key Performance Indicators (KPIs).

To address this issue, the ePDG supports throttling of IKEv2 SA-INIT requests by configuring the following parameters:

  • New Connections Accept Rate: Specifies the rate at which SA-INIT requests can be accepted and processed by the system.

  • Throttling Queue Size: Specifies the size of the queue to store excess SA-INIT incoming requests.

  • Wait Time: Specifies the maximum duration packets can remain in the throttling queue.

The key stages of the throttling mechanism in ePDG are:

  • The ePDG employs a dedicated pacing queue within the IPSec Demux Manager to regulate the flow of new incoming requests.

  • When enabled, under high CEPS conditions where the rate of SA-INIT requests consistently exceeds the configured threshold, the queue may become full, prompting the IPSec Demux Manager to drop any excess SA-INIT requests. It also ensures that all requests are forwarded to IPSECMGR at a controlled pace.

  • When disabled, no throttling or pacing is applied, and all requests are directly forwarded to IPSECMGR.

Configure overload protection in ePDG

Enable overload protection

Use the procedure to configure IKEv2 SA-INIT throttling.


Note


It is recommended to enable or disable this functionality only during a maintenance window. The same recommendation applies to modifying parameters.

Procedure


Step 1

To enable the ePDG overload protection, use the following step.

  1. Enter the Global configuration mode using the Exec > Global Configuration command.

Entering the above command sequence results in the following prompt:

[local]host_name(config)#

Step 2

Configure the epdg new connections per second using the network-overload-protection epdg-new-connections-per-second val command. Specify the maximum number of new IKEv2 SA-INIT requests per second on the SWu interface. The entered integer value must be between 50 and 6000. Specify the drop action using action drop.

Note

 
The maximum new connection accept rate/CEPS should be configured based on the agreed system allowed rate and the number of active SF cards. The value must be configured in increments of ten.
Example

configure 
   network-overload-protection epdg-new-connections-per-second 50 action drop 
exit 

By default, the wait time is 5 seconds, and the queue size is calculated based on the configured new connections accept rate and the default wait time.

Default Wait Time: 5 Seconds

Default Queue Size: epdg-new-connections-per-second * Default Wait Time (5 Seconds).

Step 3

(Optional) Configure the queue size and wait time. These parameters should be appropriately set to ensure that all packets in the queue are processed within the maximum permitted wait duration for the packets in the queue:

  • network-overload-protection epdg-new-connections-per-second action drop queue-size val : Indicates the maximum number of packets that can be queued. Enter the integer value between 250 and 30000.

  • network-overload-protection epdg-new-connections-per-second action drop queue-size val wait-time val : Indicates the maximum waiting time of the packets in the queue. Enter the integer value between 1 and 15.

Example

configure 
   network-overload-protection epdg-new-connections-per-second 2000 action drop queue-size 10000  wait-time 5 
exit 

Note

 
The queue size and wait time should be configured in alignment with the new connection accept rate. With a new connection accept rate of 2000, a maximum wait duration of 5 seconds, and a queue size of 10,000, all packets in the queue can be successfully processed within 5 seconds.

Disable overload protection

Use the procedure to disable IKEv2 SA-INIT throttling.

  1. Enter the Global configuration mode using the Exec > Global Configuration command.

    Entering the above command sequence results in the following prompt:

    [local]host_name(config)# 
  2. Disable the throttling functionality using the default network-overload-protection epdg-new-connections-per-second command.

    Example

    
    configure 
       default network-overload-protection epdg-new-connections-per-second 
    exit 

Monitoring and Troubleshooting

show network-overload-protection epdg configuration

Displays the configured IKEv2 SA-INIT request accept rate, throttling queue size, and wait time.

EPDG Network Overload Protection:
  IKEv2 SA-INIT request accept rate       : 3500
  Throttling queue size                   : 17500
  Wait time of packet in throttling queue : 5 seconds

show demux-mgr statistics ipsecdemux all

Displays statistics related to the Demux Manager, including pacing queue length, delay, and SA-INIT request counts.

EPDG Network Overload Protection: ENABLED
  ---------------------------------
    Current pacing queue length      : 0
    Current pacing queue delay       : 0.0
    Pacing queue max length reached  : 0
    Pacing queue max delay           : 0.0

    SA-INIT Requests:
    -----------------
    Queued in the pacing queue                             :   0
    Successfully dequeued from the pacing queue            :   0
    Dropped due to pacing queue full                       :   0
    Discarded due to excess wait time in the pacing queue  :   0
    Failed to enqueue in ipsecmgr queue                    :   0