cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Join Customer Connection to register!
11001
Views
5
Helpful
21
Replies
james.reid
Beginner

Cisco 3900 G2 IPSEC SA Limit

Can anyone provide the actual limit on the number of IPSEC SAs  that can be negotiated on the crypto module of a 3900 series G2 router?  When I issue the command on a 2900 G2:

show crypto eli

The output shows:

IPSec-Session :     0 active,  3600 max, 0 failed

This implies the 2900 series can handle 1800 IPSEC tunnels with an SA used for each direction.  All of the documentation and support requests have stated that the crypto module is better than the AIM module in the older series routers but I have been unable to get a concrete answer to the limit.

1 ACCEPTED SOLUTION

Accepted Solutions
xabrouck
Cisco Employee

Hi,

I get this on a 3925:

3925#sh cry eli    
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active
Capability    : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA

IPSec-Session :     0 active,  8000 max, 0 failed

Hope this answers your question.

cheers,
Xavier

View solution in original post

21 REPLIES 21
xabrouck
Cisco Employee

Hi,

I get this on a 3925:

3925#sh cry eli    
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active
Capability    : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA

IPSec-Session :     0 active,  8000 max, 0 failed

Hope this answers your question.

cheers,
Xavier

View solution in original post

Exaclty what I was looking for!  I am amazed at how difficult this information has been to track down.

Thank you so very much.

Hi,

Please take a look at the following ISR G2 performance white paper for the official supported tunnel scaling numbers on the ISR G2 platforms:

http://www.cisco.com/en/US/partner/prod/collateral/routers/ps10536/white_paper_c11_595485.pdf

Please also note that you simply can't divide the number of IPSec SA's by 2 to get the tunnel numbers. This is because during ipsec rekey, both the old and new tunnels will co-exist for a brief period of time. Also in the case of GETVPN, it's not uncommon to have multiple sets of IPSec SA's for a given ipsec flow during policy changes. Hope this helps.

Thanks,

Wen

Of course real world design and traffic patterns will determine the "actual" number of tunnels that any given device can support but the data provided gave me what I am looking for in the actual, real limit as to how many SAs can be negotiated.

I have seen the SA limit reached on a SAM-V2 in a 7206 G2 (~10,000) and know firsthand  that no more SAs will be negotiated when it reaches the stated hardware limit regardless of the CPU/traffic conditions.

Hi,

I have a question regarding 2911 and its IPSec limits.

Data Sheet shows such limits:

     2911 - 225 SAs (it should be better then ISR with AIM, and here it does't look like)

     2811 - 1500 SAs

and the commend 'sh crypto eli' shows something completly different as you presented above (unfortunately for 2911 I don't have this information, but i suppose it shows more SAs).

My question is:

When I start receiving warnings:

%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license

and considering official info from http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985.html

"The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits. The HSEC license requires the universalk9 image and the SEC license pre-installed" (For me, It means I'm not limited with SEC and export limits)
Is it possible to do more IPSec than 225?
Regards,
Angelika

Angelika,

'show crypto eli' shows 3200 max ipsec-sessions for the 2911 but the CERM feature makes sure you don't go above 225 if you didn't buy the hseck9 license.

hope it helps,

Xavier

HSEC license isn't for 2911, but only for routers above 2921.

According to this:

http://www.cisco.com/en/US/prod/collateral/routers/ps10616/white_paper_c11_556985.html

"HSEC-K9 is available only on the Cisco 2921, Cisco 2951, Cisco 3925, Cisco 3945, Cisco 3925E, and Cisco 3945E".

So how ISR G2 2911 can be more efficient in number of IPSec tunnels from its predecessor ISR 2811 if I can't get rid of export limit?

Is downgrade to 12.4 any solution?

Angelika

Angelika,

You're right, I hadn't noticed that, sorry.  And they say "The Cisco 1941, 2901, and 2911 already have maximum encryption capacities within export limits."

There's no 12.4 IOS for the 29xx. I think the only solution is then to use a 2921.


Xavier

But you already said that for 2911 command "show crypto eli" shows 3800SAs. Now you claim that hardware limit is the same as export limit - 225SAs. Do you think I can upload HSec license and 2911 will accept it (do you have chance to check it) or there is no way to get more tunnels from these device.

Thanks for your patience!

Angelika

Angelika,

There's no way, it was enforced to ensure you don't hit bottlenecks in the platform.

sorry,
Xavier

Thanks for help I appreciate it, however there is still no answer why old ISR are better.

Angelika

Hi all,

I'd like to dig this subject further casue its quite interesting

On the same router with the same IOS version how to interpret all these counters

RO-VPN-2#sh crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active

Capability    : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA

IPSec-Session :   454 active,  3200 max, 0 failed

RO-VPN-2#sh crypto isakmp sa count

Active ISAKMP SA's: 70

Standby ISAKMP SA's: 0

Currently being negotiated ISAKMP SA's: 0

Dead ISAKMP SA's: 5

It seems to be about 70 active ISAKMP SA's but 454 ipsec sessions? And how  should it be interpreted regarding the 225 limitation?

There is no specific info in command reference guide so any suggestions?

regards

Przemek

Hi,

The 225 tunnel limitation is a hard limit imposed by the software on the 2911 due to software packaging and licensing design. I suspect the the 454 IPSec SAs is a result of that (454 SAs translate to 227 IPSec tunnels with 1 SA inbound and 1 outbound). With IPSec sa dangling mode (as opposed to Continuous Channel Mode, where the IKE and IPSec SA's live and die together), it's very common to see the number of IKE SAs to be less than the number of IPSec tunnels. You can also try the command "show crypto ipsec sa count" to see how many of those 454 ipsec SA's are actually active.

Thanks,

Wen

Hi wzhanq,

thx for reply. These things are getting more complicated than I've thought.

454 value of IPSEC SA are of course connected with specific flow (ACE in crypto ACL) so thats explains one thing, but ....

Actually I've started receiving this log

%CERM-4-TUNNEL_LIMIT: Maximum tunnel limit of 225 reached for Crypto functionality with securityk9 technology package license.

after creating about 100 crypto tunnels.

Right now I'm really confused about this limitation whether it is regarding IPSEC SA? or one "generic" tunnel to the other side?

As I remember all docs shows that it should be regarding SAs.

If someone could clarify it I'd be grateful

thx

Przemek