PIX 515 6.1 – Attempting 50 site-to-site tunnels

wiccisco · ‎05-28-2002

I am attempting to connect 50 remote sites to our main office PIX 515E using PIX 501s at the remote sites. I have two sites up and working fine. When I issue the command SHOW CRYPTO ENGINE is see:

Crypto Engine Connection Map:

size = 8, free = 4, used = 4, active = 4

Yikes! 2 connections used 4 entries? And I only have 8 total? The device literature says the 515 supports 2000 VPN tunnels. What gives? The PIX does not support the CRYPTO SDU command to increase these connections. What are we missing? Can we only support 4 remote sites?

cjacinto · ‎06-01-2002

Below is the meaning of the entries:

Crypto Engine Connection Map:

> size = 8, free = 8, used = 0, active = 0

>

> -- The map size of the crypto engine. The map size

> will exponentially double if the number of

> IPSec tunnels outgrows the map size. Note that

> each IPSec tunnels consume two crypto connections,

> one for outbound and one for inbound.

>

> -- The number of free connection entries in the map.

>

> -- The number of allocated connection entries in the map.

>

> -- The number of connection entries that is able to

> cryptographically protect IPSec traffic.

You see 4 entries for the 2 tunnel since you get 2 unidirectional IPSec SA for every tunnel.

This doesn't give you the max tunnels allowed. Also, remember one vpn tunnel is 1 IKE SA plus 2 IPSec SA (that is if you have only one acl on your crypto acl - the more acl the more SA).

PIX 515 6.1  Attempting 50 site-to-site tunnels

PIX 515 6.1 Attempting 50 site-to-site tunnels