Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
746
Views
0
Helpful
3
Replies

ASA Anyconnect VPN IP Allocation

sanjumathen
Level 4
Level 4

‎09-02-2011 04:20 AM - edited ‎03-10-2019 06:21 PM

Hi,

Starting a project where they customer has ASA 5585X with SSP40 with 10K SSL Premium Lic and ACS5.1

The cust wants IPSec, and Anyconnect Client terminations. The number of users will be close to 6000 and will scale.

Due to the huge scale of users, i am not able to finalize a design. Have the following doubts.

1. Will ACS have any issues in supporting a database this huge. OR is it better to go with the AD/LDAP integration.

2. What is the best way to allocation IP address. Does ACS 5.1 support dynamic allocation form an IP pool.

I have been browsing through the forum, couldnt find anything concrete.

regards

Sanju

Labels:
0 Helpful
3 Replies 3

sjbdallas
Level 1
Level 1

‎09-02-2011 07:56 AM

Sanju,

Are those 6000 concurrent users?  I remember seeing somewhere how many transactions ACS can handle at a time and it was in the 2000 to 2500 range but I can't find that reference right now.

Are you using ACS simply for authentication or are you going to be assigning roles?

My experience has been that the ASA does a better job at assigning IP addresses from a pool than other services. 

0 Helpful

sanjumathen
Level 4
Level 4
In response to sjbdallas

‎09-02-2011 11:40 AM

Hi Steven,

These will not be concurrent sessions,

Its just the  maximum  number of users.

regards

Sanju

0 Helpful

sjbdallas
Level 1
Level 1
In response to sanjumathen

‎09-02-2011 01:51 PM

This guide:

http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_system/5.1/migration/guide/Migration_Deploy.html#wp1054773

Says this under PERFORMANCE:

"A single ACS 5.1 server that does not act as the log collector can  process more than 100 authentications per second. You should make sure  that a single ACS server processing AAA requests is able to manage the  load during peak hours. Peak hours typically occur when users arrive to  work, or when network equipment reboots. This creates a large amount of  authentications requests.

For example, 50,000 employees of a company log on to a network evenly,  over a fifteen minute period. This translates to approximately 56  authentications per second as the peak authentication rate. In this  case, a single ACS server which does not act as the log collector, can  support this peak authentication rate. "

There's also a chart on that page that shows the auths per second depending on the data store and type of auth.

0 Helpful
Customers Also Viewed These Support Documents