Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

VPN 3000 - Hardware limits CPU and other, optimising setup

Hello,

I need some real-life facts about VPN 3000 concentrators running more than 1000 concurrent IPSEC VPN-RAS sessions.

We are seeing very high CPU utilizing with limits about 100% at 1600 concurrent sessions on a VPN 3060. The question is what can be done to optimise the setup. Is there are major performance difference between different firmware versions. How can we debug which feature generates the CPU load.

Do I get it right there is no CPU difference between VPN 3015 to VPN 3080? There is no documentation about CPU specs but only SEPs and RAM.

What is the current natural choice of Cisco Hardware / upgradepath for very large VPN-RAS setups with say 5000-10000 concurrent sessions. Would you buy more VPN 3000 or switch to other like ASA, VPN modules for 6509, routers?

1 REPLY

Re: VPN 3000 - Hardware limits CPU and other, optimising setup

Hi,

Q: We are seeing very high CPU utilizing with limits about 100% at 1600 concurrent sessions on a VPN 3060. The question is what can be done to optimise the setup. Is there are major performance difference between different firmware versions. How can we debug which feature generates the CPU load.

A: Data compression increases the memory requirement and CPU utilization for each user session and consequently decreases the overall throughput of the VPN Concentrator.

For this reason, Cisco recommends that you enable data compression only if every member of the group is a remote user that connects with a modem. If any member of the group connects through broadband, do not enable data compression for the group. Instead, divide the group into two groups, one for modem users and the other for broadband users. Enable data compression only for the group of modem users.

You can use "Configuration > System > Events > Classes" and configure the specific events (such as IPsec or PPTP) to get better debugs. Debugging should only be turned on for the duration of the troubleshooting exercise because it can cause performance degradation. For IPsec debug, turn on IKE, IKEDBG, IPSEC, IPSECDBG, AUTH, and AUTHDBG. If using certificates, then add the CERT class to the list.

Q: Do I get it right there is no CPU difference between VPN 3015 to VPN 3080? There is no documentation about CPU specs but only SEPs and RAM.

A: Yes

Q: What is the current natural choice of Cisco Hardware / upgradepath for very large VPN-RAS setups with say 5000-10000 concurrent sessions. Would you buy more VPN 3000 or switch to other like ASA, VPN modules for 6509, routers?

A: Cisco VPN 3080 supports max 10,000 concurrent users, but at this kind of figure, it's recommended to have redundant VPN, preferably load-balance with minimum 2 VPN3K, but more VPN3K boxes is better. Since VPN3K is a dedicated box for remote access, so it would be a better choice . There's no right or wrong using ASA, VPN modules or router, except for the fact that these equipments support remote access VPN as part of the integrated services, which is available in the form of software feature, or add-on/plugged-in module.

Hope this helps.

Rgds,

AK

282
Views
0
Helpful
1
Replies
CreatePlease to create content