Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1268
Views
0
Helpful
5
Replies

VPN Tunnel

Joe Lee
Level 1
Level 1

‎07-22-2011 07:19 AM - edited ‎03-04-2019 01:04 PM

Hello,

We terminated about 25 site-to-site VPN tunnels on the Cisco ASA 5540 (2 GB RAM). It appears that the memory utilization is getting higher when adding the tunnel. We are planing to remove those 25 VPN tunnels out 5540, and soon we will add additional 40 VPN tunnels on it. So it will be totall around 65 tunnels, and maybe add couple tunnels per year for the future grow, but about 25 VPN tunnels are using at all the time, the others are just backup purpose, standby only. We are looking for the new network device (router or ASA) to accomadate the needs. Can anyone recommend which network device is better to handle VPN tunnel for this infrastructure? Please provide more details as possible. Your help is greatly appreciated.

Joe

Labels:
0 Helpful
5 Replies 5

andrew.prince
Level 10
Level 10

‎07-23-2011 06:39 AM

Joe,

I have a 5540 with more that 30 l2l tunnels and 200+ rvpn and the device has no issues. I suggest you check the encryption level you are using.

Sent from Cisco Technical Support iPad App

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to andrew.prince

‎07-23-2011 02:26 PM

Joe

I have a customer who is running over 400 site to site VPN tunnels using an ASR1002 and it is working very well for them. They feel that the router platform scales well for this and that the ability to run dynamic routing protocols over the tunnel is a considerable advantage.

HTH

Rick

Sent from Cisco Technical Support iPhone App

HTH

Rick
0 Helpful

ROBERTO TACCON
Level 4
Level 4

‎07-23-2011 04:28 PM

As indicated by Andrew Prince

- have you check the vpn encryption configured on the asa vs the supported ipsec algorithms on the asa crypto hardware accelerator ?
- how many ipsec sa are you using (are there any remote vpn tunnel that inject ipsec sa not for subnet but for single private host like misconfigured checkpoint can do) ?
- which bandwidth are you using for vpn ?
0 Helpful

Joe Lee
Level 1
Level 1
In response to ROBERTO TACCON

‎07-25-2011 07:07 AM

Thank you for replying.

The main reason causes the high memory utilization is we have too many ACL's configured as per host instead of subnets for setting up each VPN due to the security issue. Bandwidth is not the issue at this time. We don't have many IPSec sa, it is about 25. Not sure how many ACL's the router ASR 1002 can handle?

Best Regards,

Joe

0 Helpful

Latchum Naidu
VIP Alumni
VIP Alumni
In response to Joe Lee

‎07-25-2011 11:41 PM

Hi Joe,

The ASR family can handle up to 16000 access control lists.

Here I would suggest you to fine tune your router config and customise your ACL's so that you can reduce the burden on the router which will results in good performance.

See the below link for complete information about ASR 1000 family.

http://cisco.sharedvue.net/sharedvue/assets/412/smb/serviceproviders_assets/en/servpro-bro-asr1000

Please rate the helpfull posts.
Regards,
Naidu.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card