How to license 4x100vpn-ssl (FL-SSLVPN100-K9) in Router 3945 in HA (HSRP)

efaja · ‎11-12-2013

Hi,

I got a couple of 3945, and I would like to put the routers in Active/Standby using HSRP. I got also a four

FL-SSLVPN100-K9 so 400 licenses VPN SSL.

My doubt is, how to license this VPNs, I have not found any thing clear on cisco.com. If I have an Active/Standby, can I license all 400 VPN SSL to the Active Router, and replicate as a bakcup the four license on the Standby Router?

Or I just need to registers 200 VPN SSL on the Active Router and on the Standby Router the other 200 VPN SSL (losing 200 clients, that only could by used just in case of a failure of the active router)

Yours faithfully,

Esteve

Karsten Iwen · ‎11-12-2013

You have to activate 200 licenses on Router1 and 200 licenses on Router2. The license-information is not synchronized between them. But you don't need to lose any possible sessions as cou can also run an active/active scenario with two HSRP-groups. And on very new software you could even configure IKEv2-Loadbalancing for many routers.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

efaja · ‎11-12-2013

Thanks Karsten for your quickly response,

I will check the last thing you say about IKEv2-Loadbalancing.

Kind Regards

Esteve

Karsten Iwen · ‎11-12-2013

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/15-2mt/sec-cfg-clb-supp.html

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

efaja · ‎11-12-2013

Chess:)

efaja · ‎11-13-2013

Hi Karsten,

Just one thing more, do you know with is the maximum of concurrent VPN SSL can run into one 3945? I am very surprise to see that Cisco said that the maximum number of VPNs is 200.

Platform	Licenses Included with High Performance Security (HSEC) Bundles	Maximum Number of Users
Platform		Without Advanced Integration Module	With Advanced Integration Module
Cisco UC/SR500, 870, 880, and 890 Series Routers	-	10 users	-
Cisco 1800 and 1900 Fixed Routers	-	25 licensed users	-
Cisco 1841 and 2801 Routers	10 free users	-	75 licensed users
Cisco 1941 and 2901 Routers	-	75 licensed users	N/A
Cisco 2811 and 2821 Routers	10 free users	-	100 licensed users
Cisco 2911 and 2921 Routers	-	100 licensed users	N/A
Cisco 2851 Routers	10 free users	-	150 licensed users
Cisco 2951 Routers	-	150 licensed users	N/A
Cisco 3800 Series Routers	25 free users	-	200 licensed users
Cisco 3900 Series Routers	-	200 licensed users	N/A

http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6657/product_data_sheet0900aecd80405e25.html

Yours faithfully,

Esteve

Karsten Iwen · ‎11-13-2013

Yes, the concurent VPN-user-count on the ISR are not that high. But if you need many AnyConnect-users, you should also calculate if an ASA with AnyConnect-Essentials license is less expensive then a router with that many AnyConnect-licenses.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

efaja · ‎11-13-2013

OK, well it is to late to chenge for ASA...

So there is no way to have more than 200 VPN-SSL on a Router 3945? (just to clirify)

The limitation comes by limitation the CPU, memory, or it's just a Licence limitation? The 3945 brings the Security Bundle...

Thanks for your support karsten

Regards
Esteve

Karsten Iwen · ‎11-13-2013

The maxium of 200 SSL tunnels for the 3925/3945 is also what I'm aware of. The 3925E/3945E is documented to handle up to 500 SSL-tunnels. For IPSec-tunnels the count is mouch higher if you have the HSEC-license (2000 for the 3945).

I assume that it an overall ressource-limitation.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

efaja · ‎11-13-2013

Thanks, this is all. have a good day!

Regards

Esteve