ASA 55xx 'Max IPSec Sessions' Defintion

Answered Question
Aug 22nd, 2008

Good morning,

I have been tasked with the project of upgrading our current remote-site VPN tunnelling.

Rather than the collection of different set-ups and protocols, I'd like to standardise it

so that all every site has a Site-to-Site IPSec Tunnel.

I just need to clarify the definition of "Maximum site-to-site and remote access VPN sessions"

to help me decide in which ASA 5500 model i require.

(http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html)

We currently require connections for 210 site-to-site connections,

each location has a static WAN IP & one subnet.

Thus I assume the 5510, with it's 250 "maximum session limit" would be correct for our requirements?

However, will the "Maximum virtual interfaces (VLANs)", which is only 50, limit me - does a site to site VPN tunnel class as a virtual interface?

Or is there any other limiting factor that I need to take into account?

Many Thanks for your time,

Chris Herridge

I have this problem too.
0 votes
Correct Answer by Richard Burts about 8 years 5 months ago

Chris

A site to site tunnel does not class as a virtual interface. So you should not have a problem with this aspect.

I would suggest that you get (or upgrade to) the Security Plus license - which increases several things including the number of virtual interfaces.

With 210 remote sites I wonder what the amount of traffic that you are processing and whether the through put of the 5510 might be an issue. If you look at the 5520 you get considerably more memory and a better/faster processor to provide more capacity.

HTH

Rick

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Richard Burts Fri, 08/22/2008 - 04:10

Chris

A site to site tunnel does not class as a virtual interface. So you should not have a problem with this aspect.

I would suggest that you get (or upgrade to) the Security Plus license - which increases several things including the number of virtual interfaces.

With 210 remote sites I wonder what the amount of traffic that you are processing and whether the through put of the 5510 might be an issue. If you look at the 5520 you get considerably more memory and a better/faster processor to provide more capacity.

HTH

Rick

cherridge Fri, 08/22/2008 - 05:40

Hi Rick,

Thanks very much for your reply, the sites route the bulk of their traffic directly to the internet. It's only a collection of SOAP services sending really rather small packets of data that will be using the VPN tunnels;

So I am not too concerned about the amount of traffic, just that it can cope with that many, but if as you say the maximum number of virtual interfaces doesn't limit the actual number of site to site VPN tunnels then we'll be fine.

Thanks again for your response.

Chris

Richard Burts Fri, 08/22/2008 - 08:09

Chris

Yes I think that you will be fine with the 5510. I would still suggest that getting the Security Plus license is worth it. I am glad that my response was helpful in resolving your question. Thank you for using the rating system to indicate that your question was resolved (and thanks for the rating). It makes the forum more useful when people can read a question and can know that a response did resolve the question.

The forum is an excellent place to learn about Cisco networking. I encourage you to continue your participation in the forum.

HTH

Rick

Actions

This Discussion