11-21-2013 01:35 AM - edited 03-11-2019 08:07 PM
Hello,
We are looking to deploy mult-context IPSec lan to lan VPNs on ASA 9.x now that the functionality is available and I'm trying to understand if there are limitations to the number of tunnels that can be deployed per context? The below link may seem to indicate that there is a limit of 5 "IPSec sessions" per context but I can't see any reference to such limitations anywhere else.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/contexts.html#wp1147166
Does anybody know if there is a hard limit of number of IPSec connections per context or is it down to the general capabilities of the hardware (i.e. we're looking initially to deploy on 5520 so we'd get a throughput capability of 225Mb based on the datasheet -obviously depending on crypto parameters)?
Thanks
Solved! Go to Solution.
11-21-2013 08:04 AM
Hey found the updated document
http://www.cisco.com/en/US/docs/security/asa/command-reference/l1.html#wp1697181
Ok, this is the real document:
By default, all security contexts have unlimited access to the resources of the ASA, except where maximum limits per context are enforced; the only exception is VPN resources, which are disabled by default. If you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. For VPN resources, you must configure resource management to allow any VPN tunnels.
Value our effort and rate the assistance!
11-21-2013 06:40 AM
The limit that the license on the show version indicates.
Value our effort and rate the assistance!
11-21-2013 06:44 AM
Ok but the document indicates that the maximum IPSec sessions per context are 5 but what I mean is in general.
By default, the default class provides unlimited access to resources for all contexts, except for the following limits, which are by default set to the maximum allowed per context:
•Telnet sessions—5 sessions.
•SSH sessions—5 sessions.
•IPSec sessions—5 sessions.
Value our effort and rate the assistance!
11-21-2013 06:59 AM
Hello,
Thanks for that, I would just like to confirm what an "IPSec session" is. In "show version" it confirms the possible number of "VPN Peers". Does an IPSec session = a VPN peer?
Also, if the limit of VPNs per context is 5, that sounds very limiting for larger firewalls (i.e. a 5585-X). Even on a 5520 where you can have 750VPN peers (lets not consider throughput for now), where it can have 20 contexts, that would mean in multi-context mode with the full license a 5520 can host only 100 VPN peers where as in single context mode it's 750. That seems like a severe limitation and one that might be very important to understand.
11-21-2013 07:53 AM
I get your point, I think that even that documentation is a bit odd seen on 8.2 since VPN site to site support in multiple context was added in 9.1, let me get to work at TAC and run a couple of questions to my VPN peers.
Multiple Context Mode Features | |
Site-to-Site VPN in multiple context mode | Site- |
Value our effort and rate the assistance!
11-21-2013 08:04 AM
Hey found the updated document
http://www.cisco.com/en/US/docs/security/asa/command-reference/l1.html#wp1697181
Ok, this is the real document:
By default, all security contexts have unlimited access to the resources of the ASA, except where maximum limits per context are enforced; the only exception is VPN resources, which are disabled by default. If you find that one or more contexts use too many resources, and they cause other contexts to be denied connections, for example, then you can configure resource management to limit the use of resources per context. For VPN resources, you must configure resource management to allow any VPN tunnels.
Value our effort and rate the assistance!
11-21-2013 08:25 AM
Thanks for that, just so I'm clearly understanding this can I confirm the following:
Contexts in a multi-context ASAs can handle as many IPSec peers as the hardware specifies (750 in the case of 5520)?
I need to enable resource management in the first place before any contexts can use them?
Thanks,
Ben
11-21-2013 08:54 AM
You got it!!!
Value our effort and rate the assistance!
11-22-2013 12:47 AM
thanks a lot, that clears it up for me.
06-20-2022 02:19 PM
One issue I have found with Multi context and AnyConnect is that it does not seem to support Web download or profile editing, in the process of raising a tac case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide