7204VXR NPE-G2 - 100 off isakmp sa limit?

Answered Question
Nov 17th, 2008

Hi there

I have a 7204VXR NPE-G2 at the centre of a large vpn implementation (500 remote sites). We configured up 85 sites fine, but when we added the next 20 experienced problems with random sites being no longer able to create the VPN tunnel. With 120 sites configured on the core we have discovered that once we have exactly 100 isakmp SA's at QM_Idle no further vpn's can be established.

Anybody seen this before - there seems to be no details on the NPE-G2 router vpn capacity, the VAM2+ gives up to 5000 ike sa's but I cannot believe I need this to go beyond 100 ike sa's.

I have this problem too.
0 votes
Correct Answer by Craig Lorentzen about 6 years 5 months ago

THere is a software encryption limit for ISAKMP SAs in IOS.  This limit is generally

100 if one does not have a hardware encryption card.

You can confirm the limits on your device by using the "show crypto eli all" command.

Regards,
Craig

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
smalpas Fri, 11/21/2008 - 13:44

Thanks for the post - the router was certainly limited to 100 connections - the VSA card arrived and was installed yesterday and now we have over 250 active vpn's - no IOS change, and no config changes. I can only guess that Cisco enforce this limit within the unit to prevent it being overwhelmed. It was running at 10% cpu (now less than 2% with the VSA installed). Pity it's not in any of the documentation that they do this.....

Correct Answer
Craig Lorentzen Fri, 08/13/2010 - 14:18

THere is a software encryption limit for ISAKMP SAs in IOS.  This limit is generally

100 if one does not have a hardware encryption card.

You can confirm the limits on your device by using the "show crypto eli all" command.

Regards,
Craig

smalpas Sat, 08/14/2010 - 01:00

Thanks Craig

This was sorted by the install of the VAM - (almost 2 years ago) - but thanks for your post, I'll keep a note of this command for next time. - marked the thread as answered.

Kind regards


SteveM

Actions

This Discussion