7204VXR NPE-G2 - 100 off isakmp sa limit?

Answered Question
Nov 17th, 2008
User Badges:

Hi there


I have a 7204VXR NPE-G2 at the centre of a large vpn implementation (500 remote sites). We configured up 85 sites fine, but when we added the next 20 experienced problems with random sites being no longer able to create the VPN tunnel. With 120 sites configured on the core we have discovered that once we have exactly 100 isakmp SA's at QM_Idle no further vpn's can be established.


Anybody seen this before - there seems to be no details on the NPE-G2 router vpn capacity, the VAM2+ gives up to 5000 ike sa's but I cannot believe I need this to go beyond 100 ike sa's.

Correct Answer by Craig Lorentzen about 6 years 10 months ago

THere is a software encryption limit for ISAKMP SAs in IOS.  This limit is generally

100 if one does not have a hardware encryption card.


You can confirm the limits on your device by using the "show crypto eli all" command.


Regards,
Craig

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

The SA-VAM2+ provides encryption services for any interface in the Cisco 7301 router and the Cisco 7200VXR series routers with a NPE-225, NPE-400, NPE-G1 or NPE-G2 processor.Check the configuration you have done on the

Cisco 7200VXR s error in configuration may cause this issue.


smalpas Fri, 11/21/2008 - 13:44
User Badges:

Thanks for the post - the router was certainly limited to 100 connections - the VSA card arrived and was installed yesterday and now we have over 250 active vpn's - no IOS change, and no config changes. I can only guess that Cisco enforce this limit within the unit to prevent it being overwhelmed. It was running at 10% cpu (now less than 2% with the VSA installed). Pity it's not in any of the documentation that they do this.....

Correct Answer
Craig Lorentzen Fri, 08/13/2010 - 14:18
User Badges:

THere is a software encryption limit for ISAKMP SAs in IOS.  This limit is generally

100 if one does not have a hardware encryption card.


You can confirm the limits on your device by using the "show crypto eli all" command.


Regards,
Craig

smalpas Sat, 08/14/2010 - 01:00
User Badges:

Thanks Craig


This was sorted by the install of the VAM - (almost 2 years ago) - but thanks for your post, I'll keep a note of this command for next time. - marked the thread as answered.


Kind regards



SteveM

Actions

This Discussion