VPN Tunnel

Unanswered Question
Jul 22nd, 2011
User Badges:


We terminated about 25 site-to-site VPN tunnels on the Cisco ASA 5540 (2 GB RAM). It appears that the memory utilization is getting higher when adding the tunnel. We are planing to remove those 25 VPN tunnels out 5540, and soon we will add additional 40 VPN tunnels on it. So it will be totall around 65 tunnels, and maybe add couple tunnels per year for the future grow, but about 25 VPN tunnels are using at all the time, the others are just backup purpose, standby only. We are looking for the new network device (router or ASA) to accomadate the needs. Can anyone recommend which network device is better to handle VPN tunnel for this infrastructure? Please provide more details as possible. Your help is greatly appreciated.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Richard Burts Sat, 07/23/2011 - 14:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN


I have a customer who is running over 400 site to site VPN tunnels using an ASR1002 and it is working very well for them. They feel that the router platform scales well for this and that the ability to run dynamic routing protocols over the tunnel is a considerable advantage.



Sent from Cisco Technical Support iPhone App

ROBERTO TACCON Sat, 07/23/2011 - 16:28
User Badges:

As indicated by Andrew Prince

- have you check the vpn encryption configured on the asa vs the supported ipsec algorithms on the asa crypto hardware accelerator ?
- how many ipsec sa are you using (are there any remote vpn tunnel that inject ipsec sa not for subnet but for single private host like misconfigured checkpoint can do) ?
- which bandwidth are you using for vpn ?
Joe Lee Mon, 07/25/2011 - 07:07
User Badges:

Thank you for replying.

The main reason causes the high memory utilization is we have too many ACL's configured as per host instead of subnets for setting up each VPN due to the security issue. Bandwidth is not the issue at this time. We don't have many IPSec sa, it is about 25. Not sure how many ACL's the router ASR 1002 can handle?

Best Regards,


Latchum Naidu Mon, 07/25/2011 - 23:41
User Badges:
  • Blue, 1500 points or more

Hi Joe,

The ASR family can handle up to 16000 access control lists.

Here I would suggest you to fine tune your router config and customise your ACL's so that you can reduce the burden on the router which will results in good performance.

See the below link for complete information about ASR 1000 family.


Please rate the helpfull posts.


This Discussion