The Cookie Activation Threshold is
a global VPN session setting that limits the number of simultaneous half-opened
IKE SAs (default is 500). When the number of half-opened IKE SAs exceeds
the Cookie Activation Threshold, the Responder
will request a cookie, and the Initiator must respond with an IKE_SA_INIT
containing a cookie to validate the connection. If the cookie validation
is successful, another SA can be initiated. A value of 0 means that
cookie validation is always on.
The Responder does not maintain
a state of the Initiator, nor does it perform a Diffie-Hellman key
exchange, until the Initiator returns the cookie. IKEv2 cookie validation
mitigates a DoS attack that would try to leave numerous connections half
open.
The
Cookie Activation Threshold must
be lower than the
Maximum Half Opened SA setting.
If you
Change the Cookie Activation Threshold for IKEv2 to
a very high number (for example, 65534) and the
Maximum
Half Opened SA setting remained at the default value
of 65535, cookie validation is essentially disabled.