Solved: Firepower 2140 Appliance internet bandwidth calculation when concurrent VPN session will go 5000

anilkumar.cisco · ‎03-10-2020

Hello Team,

the customer internet link is terminated to FTD 2140.. and currently peak utilization is around 1 GB.. but i don't know the concurrent VNP connection during the peak utilization time...

Just want your help to size the internet bandwidth.. if its concurrent VPN connection can go to 5000.. as current box can support upto 10000 concurrent VPN session..

below is the concurrent session detail.. but that is also not at the peak utilisation time..

sh vpn-sessiondb summary

---------------------------------------------------------------------------

VPN Session Summary

---------------------------------------------------------------------------

Active : Cumulative : Peak Concur : Inactive

----------------------------------------------

AnyConnect Client : 264 : 40749 : 342 : 0

SSL/TLS/DTLS : 264 : 40749 : 342 : 0

Clientless VPN : 0 : 1 : 1

Browser : 0 : 1 : 1

---------------------------------------------------------------------------

Total Active and Inactive : 264 Total Cumulative : 40750

Device Total VPN Capacity : 10000

Device Load : 3%

Kindly advise.

Thanks & Regards

Anil Singh

anilkumar.cisco · ‎03-11-2020

Hello Cristian Matei,

Thanks.. May I know for Which logs you are talking about.. "1 week on the logs"

View solution in original post

Cristian Matei · ‎03-16-2020

Hi,

Configure RADIUS accounting, and you'll get statistics on consumed BW per session/user, as this is what you're interested.

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/firepower_threat_defense_remote_access_vpns.html#task_zsy_rj2_jfb

Regards,

Cristian Matei.

View solution in original post

KeithCopeland · ‎03-11-2020

I am not aware if you can pull that information directly from the CLI but I would be looking at logging out to a syslog server with a good reporting front end or some similar solution.

anilkumar.cisco · ‎03-11-2020

Hello KeithCopeland,

thanks for your reply..

which reporting tool/solution you are referring for..

Actually this sizing I am doing it to for BCP .. for disaster.. in case all user need to work from home.. and when they will connect to corporate network via VPN..

Cristian Matei · ‎03-11-2020

Hi,

Do some kind of netflow statistics upstream from your FTD boxe and see how much SSL/ESP traffic is going in/out of FTD (with source/destination being FTD, as you don't want to include other SSL/HTTPS traffic, you just need a measure of your VPN traffic) on a daily/hourly basis.

Regards,

Cristian Matei.

balaji.bandi · ‎03-11-2020

Just want your help to size the internet bandwidth.. if its concurrent VPN connection can go to 5000.. as current box can support upto 10000 concurrent VPN session..

BB - requirement bandwidth based on the application and business requirement, this will required some analysis.

- if it is only email and basic office stuff, some time 1GB is good enough.

- some of the application required massive bandwidth, so this will be pure based on business sector.

- all the application may not run over VPN, like thick clients.

Suggestion - role out the users to connect and keep monitor the application utilization, if you have any net flow options configured.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

anilkumar.cisco · ‎03-11-2020

Hello BB,

thanks for your reply..

so what I understood is that.. 1 GB internet is sufficient for 5000 VPN users?? is it correct

In our office environment , we have Microsoft Team, apart from Outlook and other stuff.

Is it possible.. I can take down bandwidth utilization of VPN user from syslog server and multiply it with 5000 no;s in order to come on rough estimate.. or should I divide the total VPN user divided by current internet bandwidth utilization then multiply by 5000 no to come on rough estimation ??

Kindly advise..

thanks..

Cristian Matei · ‎03-11-2020

Hi,

In order not to run into too many advanced technical stuff, which may not be needed, do the following. Look over a period of 1 week on the logs, see how much BW did your top user consume (per second) and multiply it by 5000, see where it goes. This is if you prepare for all 5000 users being connected at the same time. it should be more than enough. The F2140 is gonna have no issues with the throughput.

Regards,

Cristian Matei.

anilkumar.cisco · ‎03-11-2020

Hello Cristian Matei,

Thanks.. May I know for Which logs you are talking about.. "1 week on the logs"

Cristian Matei · ‎03-16-2020

Hi,

Configure RADIUS accounting, and you'll get statistics on consumed BW per session/user, as this is what you're interested.

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/firepower_threat_defense_remote_access_vpns.html#task_zsy_rj2_jfb

Regards,

Cristian Matei.