Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Posible IKE starvation attack

Dear Friends,

Possibly, i am facing a IKE starvation attack on my ASA 5550, which has 3000 tunnels and when the issue occurs it touches 5k+ due to duplicate SA resulting in high cpu. Pl help analyse.

WI-GSMC-FORD-FW001# show processes


C         S

P         S




Stack   Process







7368/16384   IKE Daemon

WI-GSMC-FORD-FW001# show proc cpu-usage non-zero

PC         Thread       5Sec     1Min     5Min   Process

08064cc5   1c5a42f0    56.5%    49.5%    25.4%   IKE Daemon

WI-GSMC-FORD-FW001# show processes cpu-usage sorted

PC         Thread       5Sec     1Min     5Min   Process

08064cc5   1c5a42f0    56.5%    49.5%    25.4%   IKE Daemon

WI-GSMC-FORD-FW001# show processes memory










IKE   Daemon






WI-GSMC-FORD-FW001# show processes internals


Giveups    Ma

x_Runtime    Pr









IKE   Daemon

WI-GSMC-FORD-FW001# show conn count

6713 in use, 38327 most usedb

WI-GSMC-FORD-FW001# show crypto isakmp sa

Active SA: 5763

Rekey SA: 7 (A tunnel will report 1 Active and 1 Rekey SA during rekey)

Total IKE SA: 5770

Show traffic

Maxi is on Outside interface input traffic = 40 Kbytes

WI-GSMC-FORD-FW001# show xlate count

54 in use, 55 most used

WI-GSMC-FORD-FW001# sho asp drop

Frame drop:

  Unsupported IP version (unsupported-ip-version)                              4

  No valid adjacency (no-adjacency)                                           41

  Reverse-path verify failed (rpf-violated)                              7395306

  Flow is denied by configured rule (acl-drop)                           1833326

  Invalid SPI (np-sp-invalid-spi)                                         136322

  First TCP packet not SYN (tcp-not-syn)                                    5735

  Bad TCP flags (bad-tcp-flags)                                    

  TCP data send after FIN (tcp-data-past-fin)                                  1

  TCP failed 3 way handshake (tcp-3whs-failed)                              7605

  TCP RST/FIN out of order (tcp-rstfin-ooo)                                 4756

  TCP invalid ACK (tcp-invalid-ack)                                           14

  TCP replicated flow pak drop (tcp-fo-drop)                                 121

  TCP RST/SYN in window (tcp-rst-syn-in-win)                                  29

  IPSEC tunnel is down (ipsec-tun-down)                                     2054

  ICMP Error Inspect no existing

  DNS Inspect id not matched (inspect-dns-id-not-matched)                     66

  Interface is down (interface-down)                                         445

  Dropped pending packets in a closed socket (np-socket-closed)               86

Last clearing: Never

Flow drop:

  NAT failed (nat-failed)                                                     96

  Need to start IKE negotiation (need-ike)                               3345034

  Inspection failure (inspect-fail)                                           80

Last clearing: Never

WI-GSMC-FORD-FW001# show version

Cisco Adaptive Security Appliance Software Version 8.2(3)
Device Manager Version 6.3(3)

Compiled on Fri 06-Aug-10 07:51 by builders
System image file is "disk0:/asa823-k8.bin"
Config file at boot was "startup-config"

WI-GSMC-FORD-FW001 up 15 days 22 hours
failover cluster up 29 days 22 hours

Hardware:   ASA5550, 4096 MB RAM, CPU Pentium 4 3000 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
                             Boot microcode   : CN1000-MC-BOOT-2.00
                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.04

0: Ext: GigabitEthernet0/0  : address is 0026.9986.988e, irq 9
1: Ext: GigabitEthernet0/1  : address is 0026.9986.988f, irq 9
2: Ext: GigabitEthernet0/2  : address is 0026.9986.9890, irq 9
3: Ext: GigabitEthernet0/3  : address is 0026.9986.9891, irq 9
4: Ext: Management0/0       : address is 0026.9986.988d, irq 11
5: Int: Internal-Data0/0    : address is 0000.0001.0002, irq 11
6: Int: Not used            : irq 5
7: Ext: GigabitEthernet1/0  : address is 0026.9926.00c4, irq 255
8: Ext: GigabitEthernet1/1  : address is 0026.9926.00c5, irq 255
9: Ext: GigabitEthernet1/2  : address is 0026.9926.00c6, irq 255
10: Ext: GigabitEthernet1/3  : address is 0026.9926.00c7, irq 255
11: Int: Internal-Data1/0    : address is 0000.0003.0002, irq 255

Licensed features for this platform:
Maximum Physical Interfaces    : Unlimited
Maximum VLANs                  : 250      
Inside Hosts                   : Unlimited
Failover                       : Active/Active
VPN-DES                        : Enabled  
VPN-3DES-AES                   : Enabled  
Security Contexts              : 2        
GTP/GPRS                       : Disabled 
SSL VPN Peers                  : 2        
Total VPN Peers                : 5000     
Shared License                 : Disabled
AnyConnect for Mobile          : Disabled 
AnyConnect for Cisco VPN Phone : Disabled 
AnyConnect Essentials          : Disabled 
Advanced Endpoint Assessment   : Disabled 
UC Phone Proxy Sessions        : 2        
Total UC Proxy Sessions        : 2        
Botnet Traffic Filter          : Disabled 

This platform has an ASA 5550 VPN Premium license.

Suspecting, If the box is with 5000 peer license then it should crack when it reaches  70%  ( ie 3500 tunnels )of the listed value

Best Regards,


  • VPN

Re: Posible IKE starvation attack

WI-GSMC-FORD-FW001# show conn count

6713 in use, 38327 most usedb

Go ahead and restric the embro conns.  I do not think that is reponsable for the high cpu since you have a 5550 but it might help you.

the following command will help you to determine who has so many half onened connections if there is someone.

show local-host | include host|count/limit      

There are

Active SA: 5763

Are you restricting your peers or you are using in your pre-share key?

I hope it helps.

Cisco Employee

Re: Posible IKE starvation attack

firstly high cpu can be expected if you go anywhere near 5000 mark, sometimes depending on how much other traffic you have you can expect the performance to be affected even before the 5000 mark is reached

now if you feel you should have 3000 peers lets see why you have 5000 + phase 1 SA's, lets find out if we have duplicate SA's or are they some remote access users trying to make connection

try this

show cry isa sa | in

once you have an ip which has duplicate sa lets have more details about it

show vpn-sessiondb detail remote filter p-ipaddress or show vpn-sessiondb detail l2l filter

this will tell us about the session

also just a small query to understand your network, were any changes made to your network before you started seeing this, it can be anything like acquiring a new company or disbanding a company etc

just to understand why so much fluctuation in vpn sessions

This widget could not be displayed.