How do i determine the number of ACTIVE VPN tunnels on a Cisco 837?

Unanswered Question
Mar 1st, 2006
User Badges:

Table 5 of the following link states that the maximum number of simultaneous VPN tunnels on a Cisco 830 series router is 10.


http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/netbr09186a00801f0a72.html


I have a few Cisco 837s configured with MORE than 10 site to site VPN connections.


How do I actually determine the number of ACTIVE tunnels?


If I use "show crypto isakmp sa" on my Cisco 837 then it shows more than 10 associated peers.


If I use "show crypto ipsec sa" then it shows more than 10 associations with traffic that has been encrypted/decrypted.


I'm presuming that since I have more than 10 site-to-site connections configured then this is allowed because I perhaps do not have 10 active simultaneously?


Or is the 10 that Cisco state as the maximum number of tunnels, simply a recommendation and not a hard limit as such?


Does anyone have any information on this?


Thanks.





  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (3 ratings)
Loading.
J.altami01 Wed, 03/01/2006 - 12:22
User Badges:

have you tried 'show crypto engine connect active.....'?

mitchen Thu, 03/02/2006 - 01:38
User Badges:

Hello,


thanks for the assistance.


"show crypto session" is not accepted by my Cisco 837.


"show crypto engine connections active" lists around 20 or so entries. Some of these have 0 for encrypt and decrypt so I guess these can be considered inactive?


But, even for the ones that have figures in the encrypt and decrypt column, there are still more than 10. (I have 12 on this particular router, for example)


Does this mean that I have more than 10 simultaneous VPN tunnels on my Cisco 837 then?


And, if so, does this mean that the 10 that Cisco state as the maximum number for a Cisco 837 is only a recommended maximum?


Thanks for any further assistance that can be offered!

m.sir Fri, 03/03/2006 - 00:03
User Badges:
  • Gold, 750 points or more

with show crypto isakmp sa

if is state QM_IDLE it means tunnel is esthablished as as I know limit 10 VPN peers is recommended number so it doesnt mean 11th tunnel is not esthablished ... but it can has performance impact (in contrast to PIX where is licence policy - there 1st tunnel over limit is not simply esthablished and you will see some error message in log..)

Hope that helps

M.

mitchen Fri, 03/03/2006 - 01:52
User Badges:

Thanks, thats very helpful - that's what I was looking for, At the moment, I have 12 tunnels in QM_IDLE state on my 837 router but if the maximum 10 is just a recommendation then this now makes sense!


Do you know what sort of performance problems we might encounter with more than 10 tunnels on a Cisco 837?

Actions

This Discussion