cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


612
Views
0
Helpful
1
Replies
Highlighted

Cisco ASA - terminate more than 5000 IPSec VPN connections

Hello all,

We have a project where we need to terminate a large number of IPSec VPN peers. At the moment we are using Cisco ASA 5555-X appliances with VPN Premium license.

We terminate at the moment about 2000 IPSec VPN connection but we are in full deployment and we get about 2000 new peers per year. The maximum amount of VPN peers is 5000 with this platform, according to Cisco website.

All connections are very low bandwidth and we don't use any kind of fancy features on the ASA. CPU usage is less than 2% and memory usage less than 25%. Technically I am pretty sure we can easily support 6000 connections, resource-wise. The license is another issue.

Is there any way to extend the license of the ASA 5555-X to support more than 5000 IPSec VPN peers ?

The alternative would be to go to the next level, ASA 5585-X which supports up to 10000 VPN peers but that's quite more expensive. Adding another ASA 5555-X would also work but that's not very scalable and would make the whole setup more complex. Ideally I would like to have a single device (or cluster) which supports more than 5000 VPN peers.

What other choices do I have for terminating 5000+ IPSec VPN peers ? What do other people use in such large scale projects while keeping things scalable ?

Best regards,
Stefan

Everyone's tags (4)
1 REPLY 1
Cisco Employee

Re: Cisco ASA - terminate more than 5000 IPSec VPN connections

Hi Stefan,

You cannot exceed the maximum concurrent VPN session limit for the platform, so the existing 5000 limitation has to remain. There is an option to scale RAVPN concurrent sessions with VPN Clustering, but it does not extend to S2S VPN:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/configuration/vpn/asa-vpn-cli/vpn-params.html#pgfId-1079186


Hope that helps.


Thanks,

Brian