ASA peer redunancy issue - more than 10 peers

Unanswered Question


Upon taking the config from a VPN 515E with 6.3(5) to an ASA 5510 with 7.2(3), I am presented with a very perplexing problem. I have 18 peers tied to the same crypto map for redundancy. On the Pix, it isn't a problem; however on the ASA upon loading the 11 peer, I receive an error stating that 10 is the max number of peers that I can have tied to a crypto map. Just to clarify, I have issues typing:

crypto map mymap 200 set peer

more than 10 times. I don't have any problems with peers 1-10, just any peer after the 10th. Am I doing something incorrect? Is there a work around? I have looked through A LOT of Cisco documentation both on and off the web, and have not come up with anything remotely regarding this limitation.

ThaX so much in advance!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ajagadee Tue, 02/19/2008 - 22:03

I don't think that you are doing anything incorrect.It looks like you are running into the limitation. I tried more than 11 peers on a Pix running 7.2(2) and see the same behavior that you are seeing.

Pix(config)# crypto map mymap 10 set peer

ERROR: Unable to set peer. Maximum number of peers (10) exceeded.

Looking at the documentation, I do not see an explicit comment on the maximum number of peers. But, if you really look in detail at the example, I see only peers 1 - 10 listed.

To identify the peer (s) for the IPSec connection, enter the crypto map set peer command.

The syntax is crypto map map-name seq-num set peer {ip_address1 | hostname1}[... ip_address10 | hostname10]

Please refer the below URL for details

I checked 8.0 code and looks like the max number of peers is 10 in 8.0 as well.

So, at this time, I think your only option is to go with 10 peers.



** Please rate all helpful posts **

What kinda work around do you think that I can come up with? We need the ASA because of the hub-spoke that we are trying to implement for our clinet.

I thought about using the same crypto with a different seq number, and changing the ACL#. However, the problem that I think I would have is if I use the same information in each ACL for example:

access-list 101 permit ip

access-list 102 permit ip

and split the peers between the two maps, won't the ASA get confused? There has to be some type of work around for this.

Any help would be SERIOUSLY appreciated. The client that I have to implement this for is getting pretty irriated, and I'm almost at my wits end! I don't have that much hair left, can you make sure I don't pull it all out! :)


This Discussion