Fortinet black logo

New Features

Home FortiGate / FortiOS 7.0.0 New Features

IPsec global IKE embryonic limit

7.0.0
7.4.0
7.2.0
7.0.0
6.4.0
6.2.0
Copy Link
Copy Doc ID 4f6cd3c1-22cb-11eb-96b9-00505692583a:66410
Download PDF

IPsec global IKE embryonic limit

When trying to establish thousands of tunnels simultaneously, a situation can arise where new negotiations starve other SAs from progressing to an established state in IKEv2. Enhancements to the IKE daemon includes prioritizing established SAs, offloading groups 20 and 21 to CP9, and optimizing the default embryonic limits for mid- and high-end platforms. The IKE embryonic limit is now configurable from the CLI.

config system ike
    set embryonic-limit <integer>
end

embryonic-limit <integer>

Set the maximum number of IPsec tunnels to negotiate simultaneously (50 - 20000, default = 1000).

The following examples compare the number of established tunnels using an IKE embryonic limit of 50 and 10000 with 500 connections opened per second.

To configure an IKE embryonic limit of 50: 
config system ike
    set embryonic-limit 50
end
To view the tunnel diagnostics:
# diagnose vpn tunnel stat
dev=1 attached=2087 tunnel=0 proxyid=2087 sa=2087 conc=0 up=2087 fenc=0 fdec=0 fasm=0 crypto_work=0 crypto_work_dropped=0
mr_grps=0 mr_children=0 mr_flood_list=0 mr_fw_list=0
# diagnose debug application ike -1
...
ike 0:a5d766dc52ebb36e/0000000000000000:3672: SA proposal chosen, matched gateway ph1
ike 0: embryonic limit 50 reached, dropping request 10.10.1.1->1.0.0.73:500
ike 0:a5d766dc52ebb36e/0000000000000000:3672: failed to create a connection
To configure an IKE embryonic limit of 10000: 
config system ike
    set embryonic-limit 10000
end
To view the tunnel diagnostics:
# diagnose vpn tunnel stat
dev=1 attached=2952 tunnel=0 proxyid=2952 sa=2952 conc=0 up=2952 fenc=0 fdec=0 fasm=0 crypto_work=0 crypto_work_dropped=0
mr_grps=0 mr_children=0 mr_flood_list=0 mr_fw_list=0
Previous
Next

IPsec global IKE embryonic limit

When trying to establish thousands of tunnels simultaneously, a situation can arise where new negotiations starve other SAs from progressing to an established state in IKEv2. Enhancements to the IKE daemon includes prioritizing established SAs, offloading groups 20 and 21 to CP9, and optimizing the default embryonic limits for mid- and high-end platforms. The IKE embryonic limit is now configurable from the CLI.

config system ike
    set embryonic-limit <integer>
end

embryonic-limit <integer>

Set the maximum number of IPsec tunnels to negotiate simultaneously (50 - 20000, default = 1000).

The following examples compare the number of established tunnels using an IKE embryonic limit of 50 and 10000 with 500 connections opened per second.

To configure an IKE embryonic limit of 50: 
config system ike
    set embryonic-limit 50
end
To view the tunnel diagnostics:
# diagnose vpn tunnel stat
dev=1 attached=2087 tunnel=0 proxyid=2087 sa=2087 conc=0 up=2087 fenc=0 fdec=0 fasm=0 crypto_work=0 crypto_work_dropped=0
mr_grps=0 mr_children=0 mr_flood_list=0 mr_fw_list=0
# diagnose debug application ike -1
...
ike 0:a5d766dc52ebb36e/0000000000000000:3672: SA proposal chosen, matched gateway ph1
ike 0: embryonic limit 50 reached, dropping request 10.10.1.1->1.0.0.73:500
ike 0:a5d766dc52ebb36e/0000000000000000:3672: failed to create a connection
To configure an IKE embryonic limit of 10000: 
config system ike
    set embryonic-limit 10000
end
To view the tunnel diagnostics:
# diagnose vpn tunnel stat
dev=1 attached=2952 tunnel=0 proxyid=2952 sa=2952 conc=0 up=2952 fenc=0 fdec=0 fasm=0 crypto_work=0 crypto_work_dropped=0
mr_grps=0 mr_children=0 mr_flood_list=0 mr_fw_list=0
Previous
Next