×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

PIX simultanous VPN Tunnel

Unanswered Question
Mar 3rd, 2004
User Badges:

I can see this on the PIX515E data sheet :


"Simultaneous VPN tunnels: 2000"


What does it means ?


And the "show version" command on the PIX515E:


"KE Peers : Unlimited"


what does this means ?


My problem is that i can not enter more than 40 peers lines on the PIX.




  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.8 (3 ratings)
Loading.
gfullage Wed, 03/03/2004 - 19:42
User Badges:
  • Cisco Employee,

Simultaneous tunnels means that the PIX can support 2000 L2L or client VPN's at one point. Actually this is not a set limit, but is based on testing and where we think the PIX will remain in a stable condition. If you're pushing tons of traffic through each tunnel then the number should be much lower.


As for your problem of entering no more than 40 peers, are you trying to do the following:


access-list 100 permit

crypto map mymap 10 match address 100

crypto map mymap 10 set peer

crypto map mymap 10 set peer

crypto map mymap 10 set peer

.....

crypto map mymap 10 set peer


If so then what this does is set up 39 BACKUP peers for , and they will only get used if the previous peer is unavailable. For example, when the tunnel comes up for traffic matching ACL 100, the PIX will build it to , if this peer is down then it will try and build the tunnel to , if this is unavailable then it'll try and so on up to . Is this really what you want?


If what you really want is 40 different peers for 40 different traffic types, then you configure it like this:


access-list 100 permit

crypto map mymap 10 match address 100

crypto map mymap 10 set peer

...

access-list 101 permit

crypto map mymap 11 match address 101

crypto map mymap 11 set peer

...

access-list 102 permit

crypto map mymap 12 match address 102

crypto map mymap 12 set peer

...

...

access-list 139 permit

crypto map mymap 50 match address 139

crypto map mymap 50 set peer


Note how there's 40 different ACL's, these specify your different traffic to each remote site. There's also 40 different instances of the "mymap" crypto map (numbered 10 to 50). Finally each instance references a different ACL for the different peers.




m.laporta Sun, 03/07/2004 - 03:04
User Badges:

Hi Glenn.


Thank you, as your reply is the answer to a question I stated some time ago... so ok, the Pix accepts several set peer statements in a single crypto map entry and will treat the first peer as the primary and the other one(s) as backup.


Now my question is: how can the Pix firewall detect a peer's failure and trigger the switchover? Does the Pix implement IKE keepalive or DPD?


Thank you

michele

gfullage Mon, 03/08/2004 - 22:02
User Badges:
  • Cisco Employee,

Yes, the PIX implements DPD to detect that an existing peer has gone down. If it then cannot rebuild the tunnel, after around 30 seconds (I believe), it will then go to the next peer under the same crypto map instance (if one exists).

Actions

This Discussion