68-3
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter68 Configuring IKE, Load Balancing, and NAC
Setting IKE Parameters
Disabling Inbound Aggressive Mode Connections
Phase 1 IKE negotiations can use either Main mode or Aggressive mode. Both provide the same services,
but Aggressive mode requires only two exchanges between the peers, rather than three. Aggressive mode
is faster, but does not provide identity protection for the communicating parties. It is therefore necessary
that they exchange identification information prior to establishing a secure SA in which to encrypt in
formation. This feature is disabled by default.
Alerting Peers Before Disconnecting
Client or LAN-to-LAN sessions may be dropped for several reasons, such as: a ASA shutdown or reboot,
session idle timeout, maximum connection time exceeded, or administrator cut-off.
The ASA can notify qualified peers (in LAN-to-LAN configurations), VPN Clients and VPN 3002
hardware clients of sessions that are about to be disconnected, and it conveys to them the reason. The
peer or client receiving the alert decodes the reason and displays it in the event log or in a pop-up pane.
This feature is disabled by default.
This pane lets you enable the feature so that the ASA sends these alerts, and conveys the reason for the
disconnect.
Qualified clients and peers include the following:
Security appliances with Alerts enabled.
VPN clients running 4.0 or later software (no configuration required).
VPN 3002 hardware clients running 4.0 or later software, and with Alerts enabled.
VPN 3000 concentrators running 4.0 or later software, with Alerts enabled.
Waiting for Active Sessions to Terminate Prior to Reboot
You can schedule a ASA reboot to occur only when all active sessions have terminated voluntarily. This
feature is disabled by default.
Preventing DoS Attackes by Limiting IKEv2 Open SAs
You can prevent denial-of-service (DoS) attacks for IPsec IKEv2 connections by always cookie
challenging incoming SAs or by limiting the number of open SAs and cookie challenge any additional
connections, or by By default, the ASA does not limit the number of open SAs and never cookie
challenges SAs. You can also limit the number of SAs allowed, which stops further connections from
negotiating to protect against memory and/or CPU attacks that the cookie-challenge feature may be
unable to thwart and protects the current connections.
With a DoS attack, an attacker initiates the attack when the peer device sends an SA initiate packet and
the ASA sends its response, but the peer device does not respond further. If the peer device does this
continually, all the allowed SA requests on the ASA can be used up until it stops responding.
Enabling a threshold percentage for cookie challenging limits the number of open SA negotiations. For
example, with the default setting of 50%, when 50% of the allowed SAs are in-negotiation (open), the
ASA cookie challenges any additional SA initiate packets that arrive. For the Cisco ASA 5580 with
10000 allowed IKEv2 SAs, after 5000 SAs become open, any more incoming SAs are
cookie-challenged.
Key ID Uses the string the remote peer uses to look up the preshared key.
Automatic Determines IKE negotiation by connection type:
IP address for preshared key
Cert DN for certificate authentication.