Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
958
Views
0
Helpful
1
Replies

How many dmvpn isakmp connections could have on cisco 2811?

albert.torro
Level 1
Level 1

‎07-18-2012 07:28 AM - edited ‎02-21-2020 06:13 PM

Hi to eveyone,

I have a problem with a Dynamic Multipoint VPN with a router cisco 2811. I would discard that the router couldn't support more than 100 isakmp sa connections, because over the 100 connections some of the tunnels cannot became up.

When disconnect one of the tunnel, the other that was down became up.

Another thing that could see is that the conn_id when i do a show crypto isakmp sa goes from 1000 to 1099, but it no appear any other number above the 1099.

It exist some limitations in the number of isakmp connections on cisco 2811?

Thanks!

Labels:
0 Helpful
1 Reply 1

Javier Portuguez
Level 9
Level 9

‎07-25-2012 11:28 AM

Hi Albert,

Please check this out:

Source: http://www.cisco.com/en/US/prod/collateral/routers/ps5853/data_sheet_vpn_aim_for_18128003800routers.html

Maximum Number of IPSec Encrypted Tunnels

The Cisco IPsec and SSL VPN AIM supports up to 800 tunnels on the Cisco 1841, up to 1500 tunnels on the Cisco 2800 Series, and up to 2000 tunnels on the Cisco 3800 Series. The Maximum Tunnel Scalability test is done with no data passing over the tunnels to only determine maximum number. For site-to-site design, Cisco recommends you consult with your Cisco account team or a Cisco authorized reseller and also review the Cisco DMVPN Design Guide at:http://www.cisco.com/application/pdf/en/us/guest/netsol/ns171/c649/ccmigration_09186a008075ea98.pdf

With the software crypto engine there indeed is a 100 IKE SA limit and it is the same for the HW crypto engine on the 2811. There is 200 tunnel limit in the documentation, which  doesn't refer to the number of IKE SAs but it means the number of IPSec flows (from which you have two for each tunnel).

To have more VPN connections you will have to obtain a VPN accelerator module for the router.

So, at this point I would recommend you check with your Cisco account team or a Cisco authorized reseller.

Mark this question as answered if you do not have any further questions.

Thanks for your time and I apologize for any inconvenience.

Please rate this post if you find it helpful.

0 Helpful
Customers Also Viewed These Support Documents