Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
530
Views
9
Helpful
6
Replies

How do i determine the number of ACTIVE VPN tunnels on a Cisco 837?

mitchen
Level 2
Level 2

‎03-01-2006 09:17 AM - edited ‎02-21-2020 02:17 PM

Table 5 of the following link states that the maximum number of simultaneous VPN tunnels on a Cisco 830 series router is 10.

http://www.cisco.com/en/US/netsol/ns340/ns394/ns171/netbr09186a00801f0a72.html

I have a few Cisco 837s configured with MORE than 10 site to site VPN connections.

How do I actually determine the number of ACTIVE tunnels?

If I use "show crypto isakmp sa" on my Cisco 837 then it shows more than 10 associated peers.

If I use "show crypto ipsec sa" then it shows more than 10 associations with traffic that has been encrypted/decrypted.

I'm presuming that since I have more than 10 site-to-site connections configured then this is allowed because I perhaps do not have 10 active simultaneously?

Or is the 10 that Cisco state as the maximum number of tunnels, simply a recommendation and not a hard limit as such?

Does anyone have any information on this?

Thanks.

Labels:
0 Helpful
6 Replies 6

donny
Level 1
Level 1

‎03-01-2006 09:50 AM

have you tried 'show crypto session'?

J.altami01
Level 1
Level 1
In response to donny

‎03-01-2006 12:22 PM

have you tried 'show crypto engine connect active.....'?

mitchen
Level 2
Level 2
In response to J.altami01

‎03-02-2006 01:38 AM

Hello,

thanks for the assistance.

"show crypto session" is not accepted by my Cisco 837.

"show crypto engine connections active" lists around 20 or so entries. Some of these have 0 for encrypt and decrypt so I guess these can be considered inactive?

But, even for the ones that have figures in the encrypt and decrypt column, there are still more than 10. (I have 12 on this particular router, for example)

Does this mean that I have more than 10 simultaneous VPN tunnels on my Cisco 837 then?

And, if so, does this mean that the 10 that Cisco state as the maximum number for a Cisco 837 is only a recommended maximum?

Thanks for any further assistance that can be offered!

0 Helpful

m.sir
Level 7
Level 7

‎03-03-2006 12:03 AM

with show crypto isakmp sa

if is state QM_IDLE it means tunnel is esthablished as as I know limit 10 VPN peers is recommended number so it doesnt mean 11th tunnel is not esthablished ... but it can has performance impact (in contrast to PIX where is licence policy - there 1st tunnel over limit is not simply esthablished and you will see some error message in log..)

Hope that helps

M.

mitchen
Level 2
Level 2
In response to m.sir

‎03-03-2006 01:52 AM

Thanks, thats very helpful - that's what I was looking for, At the moment, I have 12 tunnels in QM_IDLE state on my 837 router but if the maximum 10 is just a recommendation then this now makes sense!

Do you know what sort of performance problems we might encounter with more than 10 tunnels on a Cisco 837?

0 Helpful

J.altami01
Level 1
Level 1
In response to mitchen

‎03-03-2006 11:05 AM

according the cisco documents the limit is 5 :)

maybe this can helps...

http://www.cisco.com/en/US/partner/products/hw/routers/ps380/products_data_sheet09186a008010e5c5.html

regards

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents