11-17-2010 09:08 AM - edited 03-04-2019 10:29 AM
Can anyone provide the actual limit on the number of IPSEC SAs that can be negotiated on the crypto module of a 3900 series G2 router? When I issue the command on a 2900 G2:
show crypto eli
The output shows:
IPSec-Session : 0 active, 3600 max, 0 failed
This implies the 2900 series can handle 1800 IPSEC tunnels with an SA used for each direction. All of the documentation and support requests have stated that the crypto module is better than the AIM module in the older series routers but I have been unable to get a concrete answer to the limit.
Solved! Go to Solution.
11-18-2010 06:32 AM
Hi,
I get this on a 3925:
3925#sh cry eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 0 active, 8000 max, 0 failed
Hope this answers your question.
cheers,
Xavier
11-18-2010 06:32 AM
Hi,
I get this on a 3925:
3925#sh cry eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 0 active, 8000 max, 0 failed
Hope this answers your question.
cheers,
Xavier
11-18-2010 07:10 AM
Exaclty what I was looking for! I am amazed at how difficult this information has been to track down.
Thank you so very much.
11-18-2010 08:10 AM
Hi,
Please take a look at the following ISR G2 performance white paper for the official supported tunnel scaling numbers on the ISR G2 platforms:
http://www.cisco.com/en/US/partner/prod/collateral/routers/ps10536/white_paper_c11_595485.pdf
Please also note that you simply can't divide the number of IPSec SA's by 2 to get the tunnel numbers. This is because during ipsec rekey, both the old and new tunnels will co-exist for a brief period of time. Also in the case of GETVPN, it's not uncommon to have multiple sets of IPSec SA's for a given ipsec flow during policy changes. Hope this helps.
Thanks,
Wen
11-18-2010 08:37 AM
Of course real world design and traffic patterns will determine the "actual" number of tunnels that any given device can support but the data provided gave me what I am looking for in the actual, real limit as to how many SAs can be negotiated.
I have seen the SA limit reached on a SAM-V2 in a 7206 G2 (~10,000) and know firsthand that no more SAs will be negotiated when it reaches the stated hardware limit regardless of the CPU/traffic conditions.
12-15-2010 02:16 AM
Hi,
I have a question regarding 2911 and its IPSec limits.
Data Sheet shows such limits:
2911 - 225 SAs (it should be better then ISR with AIM, and here it does't look like)
2811 - 1500 SAs
and the commend 'sh crypto eli' shows something completly different as you presented above (unfortunately for 2911 I don't have this information, but i suppose it shows more SAs).
My question is:
When I start receiving warnings:
%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license
and considering official info from http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985.html
12-15-2010 05:59 AM
Angelika,
'show crypto eli' shows 3200 max ipsec-sessions for the 2911 but the CERM feature makes sure you don't go above 225 if you didn't buy the hseck9 license.
hope it helps,
Xavier
12-15-2010 06:13 AM
HSEC license isn't for 2911, but only for routers above 2921.
According to this:
http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985.html
"HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E".
So how ISR G2 2911 can be more efficient in number of IPSec tunnels from its predecessor ISR 2811 if I can't get rid of export limit?
Is downgrade to 12.4 any solution?
Angelika
12-15-2010 06:19 AM
Angelika,
You're right, I hadn't noticed that, sorry. And they say "The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits."
There's no 12.4 IOS for the 29xx. I think the only solution is then to use a 2921.
Xavier
12-15-2010 06:38 AM
But you already said that for 2911 command "show crypto eli" shows 3800SAs. Now you claim that hardware limit is the same as export limit - 225SAs. Do you think I can upload HSec license and 2911 will accept it (do you have chance to check it) or there is no way to get more tunnels from these device.
Thanks for your patience!
Angelika
12-15-2010 07:16 AM
Angelika,
There's no way, it was enforced to ensure you don't hit bottlenecks in the platform.
sorry,
Xavier
12-15-2010 07:24 AM
Thanks for help I appreciate it, however there is still no answer why old ISR are better.
Angelika
12-16-2010 02:56 AM
Hi all,
I'd like to dig this subject further casue its quite interesting
On the same router with the same IOS version how to interpret all these counters
RO-VPN-2#sh crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 454 active, 3200 max, 0 failed
RO-VPN-2#sh crypto isakmp sa count
Active ISAKMP SA's: 70
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
Dead ISAKMP SA's: 5
It seems to be about 70 active ISAKMP SA's but 454 ipsec sessions? And how should it be interpreted regarding the 225 limitation?
There is no specific info in command reference guide so any suggestions?
regards
Przemek
12-17-2010 06:16 AM
Hi,
The 225 tunnel limitation is a hard limit imposed by the software on the 2911 due to software packaging and licensing design. I suspect the the 454 IPSec SAs is a result of that (454 SAs translate to 227 IPSec tunnels with 1 SA inbound and 1 outbound). With IPSec sa dangling mode (as opposed to Continuous Channel Mode, where the IKE and IPSec SA's live and die together), it's very common to see the number of IKE SAs to be less than the number of IPSec tunnels. You can also try the command "show crypto ipsec sa count" to see how many of those 454 ipsec SA's are actually active.
Thanks,
Wen
12-17-2010 07:19 AM
Hi wzhanq,
thx for reply. These things are getting more complicated than I've thought.
454 value of IPSEC SA are of course connected with specific flow (ACE in crypto ACL) so thats explains one thing, but ....
Actually I've started receiving this log
%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.
after creating about 100 crypto tunnels.
Right now I'm really confused about this limitation whether it is regarding IPSEC SA? or one "generic" tunnel to the other side?
As I remember all docs shows that it should be regarding SAs.
If someone could clarify it I'd be grateful
thx
Przemek
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide