Solved: Multi Context IPSec VPN limitations

Benedict Kennedy · ‎11-21-2013

Hello,

We are looking to deploy mult-context IPSec lan to lan VPNs on ASA 9.x now that the functionality is available and I'm trying to understand if there are limitations to the number of tunnels that can be deployed per context? The below link may seem to indicate that there is a limit of 5 "IPSec sessions" per context but I can't see any reference to such limitations anywhere else.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1147166

Does anybody know if there is a hard limit of number of IPSec connections per context or is it down to the general capabilities of the hardware (i.e. we're looking initially to deploy on 5520 so we'd get a throughput capability of 225Mb based on the datasheet -obviously depending on crypto parameters)?

Thanks

jumora · ‎11-21-2013

Hey found the updated document

http://www.cisco.com/en/US/docs/security/asa/command-reference/l1.html#wp1697181

Ok, this is the real document:

By default, all security contexts have unlimited access to the resources of the ASA, except where maximum limits per context are enforced; the only exception is VPN resources, which are disabled by default. If you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. For VPN resources, you must configure resource management to allow any VPN tunnels.

vpn burst other	Concurrent	N/A	The Other VPN session amount for your model minus the sum of the sessions assigned to all contexts for vpn other.	The number of site-to-site VPN sessions allowed beyond the amount assigned to a context withvpn other. For example, if your model supports 5000 sessions, and you assign 4000 sessions across all contexts with vpn other, then the remaining 1000 sessions are available for vpn burst other. Unlike vpn other, which guarantees the sessions to the context, vpn burst othercan be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.
vpn other	Concurrent	N/A	See the "Supported Feature Licenses Per Model" section in the CLI configuration guide for the Other VPN sessions available for your model.	Site-to-site VPN sessions. You cannot oversubscribe this resource; all context assignments combined cannot exceed the model limit. The sessions you assign for this resource are guaranteed to the context.

Value our effort and rate the assistance!

View solution in original post

jumora · ‎11-21-2013

The limit that the license on the show version indicates.

Value our effort and rate the assistance!

jumora · ‎11-21-2013

Ok but the document indicates that the maximum IPSec sessions per context are 5 but what I mean is in general.

By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context:

•Telnet sessions—5 sessions.

•SSH sessions—5 sessions.

•IPSec sessions—5 sessions.

Value our effort and rate the assistance!

Benedict Kennedy · ‎11-21-2013

Hello,

Thanks for that, I would just like to confirm what an "IPSec session" is. In "show version" it confirms the possible number of "VPN Peers". Does an IPSec session = a VPN peer?

Also, if the limit of VPNs per context is 5, that sounds very limiting for larger firewalls (i.e. a 5585-X). Even on a 5520 where you can have 750VPN peers (lets not consider throughput for now), where it can have 20 contexts, that would mean in multi-context mode with the full license a 5520 can host only 100 VPN peers where as in single context mode it's 750. That seems like a severe limitation and one that might be very important to understand.

jumora · ‎11-21-2013

I get your point, I think that even that documentation is a bit odd seen on 8.2 since VPN site to site support in multiple context was added in 9.1, let me get to work at TAC and run a couple of questions to my VPN peers.

Multiple Context Mode Features
Site-to-Site VPN in multiple context mode	Site-

New resource type for site-to-site VPN tunnels

New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.

We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation.

Value our effort and rate the assistance!

jumora · ‎11-21-2013

Hey found the updated document

http://www.cisco.com/en/US/docs/security/asa/command-reference/l1.html#wp1697181

Ok, this is the real document:

By default, all security contexts have unlimited access to the resources of the ASA, except where maximum limits per context are enforced; the only exception is VPN resources, which are disabled by default. If you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. For VPN resources, you must configure resource management to allow any VPN tunnels.

vpn burst other	Concurrent	N/A	The Other VPN session amount for your model minus the sum of the sessions assigned to all contexts for vpn other.	The number of site-to-site VPN sessions allowed beyond the amount assigned to a context withvpn other. For example, if your model supports 5000 sessions, and you assign 4000 sessions across all contexts with vpn other, then the remaining 1000 sessions are available for vpn burst other. Unlike vpn other, which guarantees the sessions to the context, vpn burst othercan be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.
vpn other	Concurrent	N/A	See the "Supported Feature Licenses Per Model" section in the CLI configuration guide for the Other VPN sessions available for your model.	Site-to-site VPN sessions. You cannot oversubscribe this resource; all context assignments combined cannot exceed the model limit. The sessions you assign for this resource are guaranteed to the context.

Value our effort and rate the assistance!

Benedict Kennedy · ‎11-21-2013

Thanks for that, just so I'm clearly understanding this can I confirm the following:

Contexts in a multi-context ASAs can handle as many IPSec peers as the hardware specifies (750 in the case of 5520)?

I need to enable resource management in the first place before any contexts can use them?

Thanks,

Ben

jumora · ‎11-21-2013

You got it!!!

Value our effort and rate the assistance!

Benedict Kennedy · ‎11-22-2013

thanks a lot, that clears it up for me.

mick_johnson@hotmail.com · ‎06-20-2022

One issue I have found with Multi context and AnyConnect is that it does not seem to support Web download or profile editing, in the process of raising a tac case.