Just wondering if anyone has ran into this issue. Running a PIX 515E-R as firewall / VPN device. We have a 506 connected to it (site to site vpn) and various dynamic clients at remote offices (around 9 connections). When we reach 8 VPN tunnels, the PIX continues to allow connections but does not create a tunnel between it and the client.
Don't think it is a limit - you can make 10 IPSec tunnels with a 501, and 20 (IIRC) with a 506. I don't think there is any software limit with the 515. The sites that fail to connect - have they ever connected successfully? Dynamic clients - how big is the ip local pool? Any log entries?
Hey thanks for the reply. I did not think there was a limit per say as much as a bug we have run into.
It seems to be that we cannot create more than 8 tunnels. The PIX continues to deploy IP addresses from the local IP pool and allow connections, it just fails to create the tunnel. We have a pool of about 20 IP addresses. All the clients have connected at one time or another. Right now it's like musical chairs first 8 get in, after that they get a connectrion just no tunnel. It's various connection types, dynamic, site-site static, etc. Nothing of note or that I understand has shown up in the log related to this.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...