I have a 7204VXR NPE-G2 at the centre of a large vpn implementation (500 remote sites). We configured up 85 sites fine, but when we added the next 20 experienced problems with random sites being no longer able to create the VPN tunnel. With 120 sites configured on the core we have discovered that once we have exactly 100 isakmp SA's at QM_Idle no further vpn's can be established.
Anybody seen this before - there seems to be no details on the NPE-G2 router vpn capacity, the VAM2+ gives up to 5000 ike sa's but I cannot believe I need this to go beyond 100 ike sa's.
THere is a software encryption limit for ISAKMP SAs in IOS. This limit is generally
100 if one does not have a hardware encryption card.
You can confirm the limits on your device by using the "show crypto eli all" command.