Solved: ASR 1001-X IPsec Tunnel limitation

kevin_1234 · ‎05-09-2019

Hi everyone

At the moment we have performance problems with our IPsec(dynamic crypto map). The IPsec terminate on our ASR 1001-X. During our research we noticed a limitation for IPSec tunnels (https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/datasheet-c78-731640.html IPsec: 4,000 tunnels). I'm not sure what counts as an IPsec tunnel. We currently have max. 7000 SA(show crypto ipsec sa count) active. Is an SA equal to an ipsec tunnel? If you reach the limitation you will be notified by log?

Thank you very much for your help,
Kevin

Giuseppe Larosa · ‎05-13-2019

Hello Kevin,

you have the appropriate licenses installed. This is good news.

>> So then ISAKMP counter are crucial for the information about the IPSEC tunnel count ?

Yes, there is a single ISAKMP SA for each tunnel (this is bidirectional) so the count of ISAKMP SA active provides the number of tunnels

Edit:

if I remember correctly the ISAKMP SA in active state are those with state QM_IDLE, Note that before one ISAKMP SA expires the new ISAKMP SA is started/negotiated. So actually it is not exact match.

Hope to help

Giuseppe

View solution in original post

Giuseppe Larosa · ‎05-11-2019

Hello Kevin,

>> Is an SA equal to an ipsec tunnel?

No, actually IPSEC SA are unidirectional meaning that at leat two IPSEC SA are setup for each tunnel. Depending on the way the ACLs are configured to define the interesting traffic to be encrypted the number of SA per direction can be more then one.

So having 7000 IPSEC SA does not mean you have 7000 IPSec tunnels in operation.

However, you need to verify the aggregate throughput of all the tunnels as there are limits for this too.

We need to look into the ASR 1000 ordering guide that is here to find more info.

https://www.cisco.com/c/en/us/products/collateral/routers/asr-1000-series-aggregation-services-routers/guide-c07-731639.html

Do you have installed the following licenses (from example 14 secure WAN router)

FLSASR1-IPSEC

SLASR1-AES Cisco ASR 1000 Advanced Enterprise Services License

If you have both these licenses you should be fine at least from the point of view of licenses.

However, to be able to support a greater aggregate throughput also the following license is listed in the example 14 of the ordering guide:

FLSA1-1X-2.5-20G 2.5G to 20Gbps upgrade License for ASR 1001-X, Built-in 2X10

I think the license above refers to aggregated unecrypted throughput but it might improve also the encrypted aggregated throughput.

So this last one can make some difference in your case.

Hope to help

Giuseppe

kevin_1234 · ‎05-13-2019

Thank you very much for your input!

We installed and activated the FLSASR1-IPSEC/SLASR1-AES/FLSA1-1X-2.5-20G.

@Giuseppe Larosa wrote:
Hello Kevin,
>> Is an SA equal to an ipsec tunnel?
No, actually IPSEC SA are unidirectional meaning that at leat two IPSEC SA are setup for each tunnel. Depending on the way the ACLs are configured to define the interesting traffic to be encrypted the number of SA per direction can be more then one.
So having 7000 IPSEC SA does not mean you have 7000 IPSec tunnels in operation.

So then ISAKMP counter are crucial for the information about the IPSEC tunnel count ?

Giuseppe Larosa · ‎05-13-2019

Hello Kevin,

you have the appropriate licenses installed. This is good news.

>> So then ISAKMP counter are crucial for the information about the IPSEC tunnel count ?

Yes, there is a single ISAKMP SA for each tunnel (this is bidirectional) so the count of ISAKMP SA active provides the number of tunnels

Edit:

if I remember correctly the ISAKMP SA in active state are those with state QM_IDLE, Note that before one ISAKMP SA expires the new ISAKMP SA is started/negotiated. So actually it is not exact match.

Hope to help

Giuseppe