Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Multi Context IPSec VPN limitations

Hello,

We are looking to deploy mult-context IPSec lan to lan VPNs on ASA 9.x  now that the functionality is available and I'm trying to understand if there are limitations to the number of tunnels that can be deployed per context? The below link may seem to indicate that there is a limit of 5 "IPSec sessions" per context but I can't see any reference to such limitations anywhere else.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1147166

Does anybody know if there is a hard limit of number of IPSec connections per context or is it down to the general capabilities of the hardware (i.e. we're looking initially to deploy on 5520 so we'd get a throughput capability of 225Mb based on the datasheet -obviously depending on crypto parameters)?

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Multi Context IPSec VPN limitations

Hey found the updated document

http://www.cisco.com/en/US/docs/security/asa/command-reference/l1.html#wp1697181

Ok, this is the real document:

By default, all security contexts have unlimited access to the resources of the ASA, except where maximum limits per context are enforced; the only exception is VPN resources, which are disabled by default. If you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. For VPN resources, you must configure resource management to allow any VPN tunnels.

vpn burst other

Concurrent

N/A

The Other VPN session amount for your model minus the sum of the sessions assigned to all contexts for vpn other.

The number of site-to-site VPN sessions allowed beyond the amount assigned to a context withvpn other. For example, if your model supports 5000 sessions, and you assign 4000 sessions across all contexts with vpn other, then the remaining 1000 sessions are available for vpn burst other. Unlike vpn other, which guarantees the sessions to the context, vpn burst othercan be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.

vpn other

Concurrent

N/A

See the "Supported Feature Licenses Per Model" section in the CLI configuration guide for the Other VPN sessions available for your model.

Site-to-site VPN sessions. You cannot oversubscribe this resource; all context assignments combined cannot exceed the model limit. The sessions you assign for this resource are guaranteed to the context.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
8 REPLIES
Silver

Multi Context IPSec VPN limitations

The limit that the license on the show version indicates.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
Silver

Re: Multi Context IPSec VPN limitations

Ok but the document indicates that the maximum IPSec sessions per context are 5 but what I mean is in general.

By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context:

Telnet sessions—5 sessions.

SSH sessions—5 sessions.

IPSec sessions—5 sessions.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
New Member

Multi Context IPSec VPN limitations

Hello,

Thanks for that, I would just like to confirm what an "IPSec session" is. In "show version" it confirms the possible number of "VPN Peers". Does an IPSec session =  a VPN peer?

Also, if the limit of VPNs per context is 5, that sounds very limiting for larger firewalls (i.e. a 5585-X). Even on a 5520 where you can have 750VPN peers (lets not consider throughput for now), where it can have 20 contexts, that would mean in multi-context mode with the full license a 5520 can host only 100 VPN peers where as in single context mode it's 750. That seems like a severe limitation and one that might be very important to understand.

Silver

Multi Context IPSec VPN limitations

I get your point, I think that even that documentation is a bit odd seen on 8.2 since VPN site to site support in multiple context was added in 9.1, let me get to work at TAC and run a couple of questions to my VPN peers.

Multiple Context Mode Features

Site-to-Site VPN in multiple context mode

Site-

New resource type for site-to-site VPN tunnels

New resource types, vpn other and vpn burst other, were created to set the maximum number of site-to-site VPN tunnels in each context.

We modified the following commands: limit-resource, show resource types, show resource usage, show resource allocation.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
Silver

Multi Context IPSec VPN limitations

Hey found the updated document

http://www.cisco.com/en/US/docs/security/asa/command-reference/l1.html#wp1697181

Ok, this is the real document:

By default, all security contexts have unlimited access to the resources of the ASA, except where maximum limits per context are enforced; the only exception is VPN resources, which are disabled by default. If you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. For VPN resources, you must configure resource management to allow any VPN tunnels.

vpn burst other

Concurrent

N/A

The Other VPN session amount for your model minus the sum of the sessions assigned to all contexts for vpn other.

The number of site-to-site VPN sessions allowed beyond the amount assigned to a context withvpn other. For example, if your model supports 5000 sessions, and you assign 4000 sessions across all contexts with vpn other, then the remaining 1000 sessions are available for vpn burst other. Unlike vpn other, which guarantees the sessions to the context, vpn burst othercan be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.

vpn other

Concurrent

N/A

See the "Supported Feature Licenses Per Model" section in the CLI configuration guide for the Other VPN sessions available for your model.

Site-to-site VPN sessions. You cannot oversubscribe this resource; all context assignments combined cannot exceed the model limit. The sessions you assign for this resource are guaranteed to the context.

Value our effort and rate the assistance!

Value our effort and rate the assistance!
New Member

Multi Context IPSec VPN limitations

Thanks for that, just so I'm clearly understanding this can I confirm the following:

Contexts in a multi-context ASAs can handle as many IPSec peers as the hardware specifies (750 in the case of 5520)?

I need to enable resource management in the first place before any contexts can use them?

Thanks,

Ben

Silver

Multi Context IPSec VPN limitations

You got it!!!

Value our effort and rate the assistance!

Value our effort and rate the assistance!
New Member

Multi Context IPSec VPN limitations

thanks a lot, that clears it up for me.

1375
Views
0
Helpful
8
Replies