Cisco ASA 9.1 crypto ipsec stats system capacity failures
I'm trying to research some performance issues on a centralized ASA and some VPN site end-points. I'm already addressing fragmentation bits and flow control that looks to resolve some of the performance issues, but I came across something that I can't seem to identify to understand what it's telling me.
I can't seem to find any documentation that explains what triggers the counter for "System capacity failures" on the show crypto ipsec stats command:
Sorry Karthik, I was away on vacation and just checking back in with this again.
It is an ASA5510 and as you can see we average about 40 to 50 tunnels.
The outside link is a 100Mb and the inside is 1Gb. The DMZ is a 100Mb.
The actual performance metrics evidenced on this doesn't show any real buffer drops or steady high-interface utilization to be just throughput performance (of course there may be some spikes I'm not seeing in our sampling).
I"m just curious to see exactly what triggers that counter and if I can figure that out, I can focus on something to prove any requirement to upgrade this model if required.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...