opinions please on 8.x code on ASA with a lot of IPSEC tunnels

mjsully · ‎02-13-2009

Anyone have any experiences or opinions on running 8.x code on an ASA firewall pair that will have about 80 IPSEC tunnels on it? We have to migrate from our old 3000 series concentrator. The allure of the 8.x code is the ability to debug a single tunnel. It's a big feature to have but we don't want to move to it if there are some downfalls we don't know about. So if anyone has an opinion, please share. Last thing we want is to move all these tunnels and have to move back because of some weird bug.

eddie.mitchell · ‎02-14-2009

Do you have any idea on the throughput requirements for the majority of the tunnels? What about security requirements for tunnel encryption? Is AES a requirement for a large proportion of the tunnels?

On paper, it shouldn't be an issue, but I don't have any direct experience with that many IPSec tunnels terminating on a single ASA cluster.

mjsully · ‎02-14-2009

thanks for the reply.

currently, none of the tunnels will have AES encryption. 90% have 3des/md5, the other 10% has 3des/sha.

I don't have an idea of the throughput. The current tunnels pass through a 3030. Unfortunately, these ASAs are 5510s, but according to Cisco documentation, can handle that many VPNs.