Showing results for 
Search instead for 
Did you mean: 

WRV200 VPN Pass-through limits


We use a Cisco Small Business WRV200 to allow guests at our office to access the public internet independently from our Corporate network environment. We regularly have multiple guests visit from one company and generally these users connect back to their company via a local VPN client. I have noticed that once approximately 5 users successfully activate their VPN clients that no other users can connect to any other VPN tunnels. Internet connectivity is still fully functional when these 5 tunnels are active, but no other users can create a VPN tunnel after this point. Again these are all outbound or pass-through tunnels from behind the WRV200 in a single NAT environment. Is there a limit on outbound or pass-through vpn connections from behind this device and if so can it be changed? I was hoping for a firmware resolution to this problem, but it appears there is only one firmware release for this device. If this device indeed does have an unchangeable limit, then can someone suggest another Cisco Small Business Wireless product that has no pass-through limit?


1 Accepted Solution

Accepted Solutions

If NAT-T is enabled on both clients and VPN gateways, there should be no problems. Otherwise, if two IPsec clients behind WRV200 are trying to connect to the same remote gateway without NAT-T enabled, the 2 IPsec sessions could clash with each other.

View solution in original post

8 Replies 8

David Carr
Frequent Contributor
Frequent Contributor

After reading your post, it seems as if it might be a bandwidth issue.  What type of client utility are your clients using to connect to their corporate office.  Is the wrv200 at your corporate office or are you just connecting from that router to another router at your corporate office?

Guests have used various clients to connect but the two most popular are either a Cisco VPN client or a SonicWall VPN client. Either client seems to be limited to 5 active VPN connections. The WRV200 is directly connected to our "external" switch which is fed by a 15Mb Internet pipe via a Cisco 3845 Router with a T3 card. The 3845 is simply a termination point for the T3 and does no other internal routing. The WRV200 is completely independent of our Corporate LAN environment and is given its own public IP from our ISP provided subnet, thus forming a separate, private LAN. As stated earlier Internet traffic and Internet speeds are fine...only issue is the limit on active VPN tunnels. I have also had guest users connect via wireless and wired to the WRV200, but neither connection type seems to make a difference in the active VPN limitation.

David Carr
Frequent Contributor
Frequent Contributor

This is all i have from the cisco web site. It states that the router will support Ten IP Security (IPsec) QuickVPN tunnels with a throughput of 30 Mbps give your mobile workers a secure and easy-to-use way to stay connected. As an essential element of your business, this product provides security functions for authentication, encryption, and firewall.  You have 15 mb from your on your router.  That is half of the maximum bandwidth that the router will support with vpn clients.  That seems to be the reason why you can only get 5 connected to the router.

The link to the wrv200 data sheet is this

Hope this helps.

After reading through your reply and the spec sheet it appears to me that this only applies to INCOMING connections from "mobile workers" which would be creating a VPN tunnel directly back to the WRV200 from the public Internet cloud. I guess it doesn't make sense to me that the device would be limiting outbound VPN connections. I have to strongly disagree that it is a bandwidth issue because we have as many as twenty VPN tunnels and sometimes more running on this 15Mb Internet connection without any issue.

I greatly appeciate the input!

What IPsec clients are being used?

Are they trying to connect to the same remote gateway from the LAN of WRV200?

Is the NAT-Traversal enabled on the IPSec client?

What model is the remote VPN gateway?

IPSec clients are generally either Cisco or SonicWall...

When this problem occurs all users on the LAN of the WRV200 are trying to connect to their home office, so yes the remote gateway address would be the same for all outbound VPN tunnels...

To the best of my knowledge NAT-Traversal is enabled on clients, but that is not 100% certainity

Model of the Remote Gateway is unknown and could possibly vary from user to user...

If NAT-T is enabled on both clients and VPN gateways, there should be no problems. Otherwise, if two IPsec clients behind WRV200 are trying to connect to the same remote gateway without NAT-T enabled, the 2 IPsec sessions could clash with each other.

Interesting...I will look into that....thanks!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: