02-12-2019 02:50 PM - edited 02-21-2020 08:48 AM
Hello,
We have an ASA5506X running 9.6.1.
We are currently running a VPN tunnel using: Ikev1 with AES-256, SHA1, and DH 2, and it runs very well.
We are considering changing the config to use: ikev2 with AES-256, SHA256, and DH20.
Can anyone tell me if the CPU has enough performance to support this?
Your help is appreciated.
Solved! Go to Solution.
02-13-2019 12:14 AM
X series is the new model, so you expected to be higher performance.
02-12-2019 02:59 PM
02-12-2019 03:01 PM
I do not see issue here..how many tunnel we are considering here ?
here is the reference :
02-12-2019 03:50 PM
We only have 2 active VPN tunnels running. Someone told me DH20 is very CPU intensive may cause a slow down on the lower end ASA like the 5506. Thanks for your help.
02-13-2019 12:14 AM
X series is the new model, so you expected to be higher performance.
02-13-2019 08:33 AM
DH (diffe hellman) is only run a couple of times a day (depending on the lifetime timers) and with only 2 tunnels that's probably not going to cause you an issue. I assume you are not currently experiencing performance issues...so I would imagine you will be fine.
This cisco doc, albeit it is discussing IOS IKEv2, I assume this still applies on ASA, recommended DH19 as the preferred DH group when using IKEv2, it's efficient and secure.
HTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide