VPN Tunnel

Unanswered Question
Jul 22nd, 2011

Hello,

We terminated about 25 site-to-site VPN tunnels on the Cisco ASA 5540 (2 GB RAM). It appears that the memory utilization is getting higher when adding the tunnel. We are planing to remove those 25 VPN tunnels out 5540, and soon we will add additional 40 VPN tunnels on it. So it will be totall around 65 tunnels, and maybe add couple tunnels per year for the future grow, but about 25 VPN tunnels are using at all the time, the others are just backup purpose, standby only. We are looking for the new network device (router or ASA) to accomadate the needs. Can anyone recommend which network device is better to handle VPN tunnel for this infrastructure? Please provide more details as possible. Your help is greatly appreciated.

Joe

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
andrew.prince@m... Sat, 07/23/2011 - 06:39

Joe,

I have a 5540 with more that 30 l2l tunnels and 200+ rvpn and the device has no issues. I suggest you check the encryption level you are using.

Sent from Cisco Technical Support iPad App

Richard Burts Sat, 07/23/2011 - 14:26

Joe

I have a customer who is running over 400 site to site VPN tunnels using an ASR1002 and it is working very well for them. They feel that the router platform scales well for this and that the ability to run dynamic routing protocols over the tunnel is a considerable advantage.

HTH

Rick

Sent from Cisco Technical Support iPhone App

ROBERTO TACCON Sat, 07/23/2011 - 16:28

As indicated by Andrew Prince

- have you check the vpn encryption configured on the asa vs the supported ipsec algorithms on the asa crypto hardware accelerator ?
- how many ipsec sa are you using (are there any remote vpn tunnel that inject ipsec sa not for subnet but for single private host like misconfigured checkpoint can do) ?
- which bandwidth are you using for vpn ?
ineedciscohelp Mon, 07/25/2011 - 07:07

Thank you for replying.

The main reason causes the high memory utilization is we have too many ACL's configured as per host instead of subnets for setting up each VPN due to the security issue. Bandwidth is not the issue at this time. We don't have many IPSec sa, it is about 25. Not sure how many ACL's the router ASR 1002 can handle?

Best Regards,

Joe

naiduccnp Mon, 07/25/2011 - 23:41

Hi Joe,

The ASR family can handle up to 16000 access control lists.

Here I would suggest you to fine tune your router config and customise your ACL's so that you can reduce the burden on the router which will results in good performance.

See the below link for complete information about ASR 1000 family.

http://cisco.sharedvue.net/sharedvue/assets/412/smb/serviceproviders_assets/en/servpro-bro-asr1000

Please rate the helpfull posts.
Regards,
Naidu.

Actions

Login or Register to take actions

This Discussion

Posted July 22, 2011 at 7:19 AM
Stats:
Replies:5 Avg. Rating:
Views:953 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard