cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12578
Views
5
Helpful
21
Replies

Cisco 3900 G2 IPSEC SA Limit

james.reid
Level 1
Level 1

Can anyone provide the actual limit on the number of IPSEC SAs  that can be negotiated on the crypto module of a 3900 series G2 router?  When I issue the command on a 2900 G2:

show crypto eli

The output shows:

IPSec-Session :     0 active,  3600 max, 0 failed

This implies the 2900 series can handle 1800 IPSEC tunnels with an SA used for each direction.  All of the documentation and support requests have stated that the crypto module is better than the AIM module in the older series routers but I have been unable to get a concrete answer to the limit.

21 Replies 21

Hi,

Yes, the number of SAs roughly maps into the number of ACE's in the crypto ACL, but not always. Eg., there will be an overlap between the old and new pair of SA's during an IPSec rekey, ie., 4 SA's for a given bidirectional flow. When you created these 100 tunnels, what does the "show crypto eli" and "show crypto ipsec sa count" show?

Thanks,

Wen

Hi wzhanq,

this is the output of show crypto eli (as in the previous post)

RO-VPN-2#sh crypto eli

Hardware Encryption : ACTIVE

Number of hardware crypto engines = 1

CryptoEngine Onboard VPN details: state = Active

Capability    : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA

IPSec-Session :   454 active,  3200 max, 0 failed

RO-VPN-2#sh crypto isakmp sa count

Active ISAKMP SA's: 70

Standby ISAKMP SA's: 0

Currently being negotiated ISAKMP SA's: 0

Dead ISAKMP SA's: 5

when I've started receiving this log I assumed that 225 limitation was regarding one SA, but now, as I said, I'm confused.

regards

Hi,

Could you clarify exactly what you meant by "100 crypto tunnels"? Are these tunnels to 100 unique crypto peer devices, with each peer having one tunnel (1 protected ip flow), or something else? Based on your output, you only have 70 IKE SA's. If we can assume this is the snapshot captured immediately after you established 100 tunnels, then that implies you only have 70 peer devices, is that correct? How many protected ip flows (ipsec proxies) are there for these 70 peers? Also, "sohw crypto ipsec sa count" output (not included in your post) would give you a rough idea on how many of the IPSec SA's are active, if they match the numbers of tunnels you expect to see.

Thanks,

Wen

hi wzhanq,

I apologise for misleading you in the first place cause this is the customer's device and I can't do these command directly.

Firstly there were 2 routers in HSRP configuration and the log had showed up  on the active one.

As I discussed with the administrator there were sth about 110 peers (with many protected flows in ipsec sa).

The current output were taken after disconnecting both routers, what he did so he could add new peers above 110 value.

It seems that 225 limitation must be devided by 2 and we've got 110 IKE SAs which will give us 110 peers.

If you could just confirm that I'd be grateful

regards

Przemek

It seems that I wasn't right

this output is from my router where there are 3 peers and each one has one ipsec flow (one entry in crypto ACL)

R4620BBIA#show crypt ipsec sa count

IPsec SA total: 6, active: 5, rekeying: 0, unused: 1, invalid: 0

R4620BBIA#show plat cer

Crypto Export Restrictions Manager(CERM) Information:

CERM functionality: ENABLED

----------------------------------------------------------------

Resource                       Maximum Limit           Available

----------------------------------------------------------------

Tx Bandwidth(in kbps)          85000                   85000

Rx Bandwidth(in kbps)          85000                   85000

Number of tunnels              225                     222

Number of TLS sessions         1000                    1000

Resource reservation information:

D - Dynamic

-----------------------------------------------------------------------

Client         Tx Bandwidth    Rx Bandwidth    Tunnels    TLS Sessions

                 (in kbps)       (in kbps)

-----------------------------------------------------------------------

VOICE           0               0                0         0

IPSEC           D               D                3         N/A

SSLVPN          D               D                0         N/A

Statistics information:

Failed tunnels     : 0

Failed sessions    : 0

Failed tx bandwidth: 0

Failed rx bandwidth: 0

Failed encrypt pkts: 0

Failed decrypt pkts: 0

Failed encrypt pkt bytes: 0

Failed decrypt pkt bytes: 0

Passed encrypt pkts: 18711960

Passed decrypt pkts: 21674709

Passed encrypt pkt bytes: 3791231600

Passed decrypt pkt bytes: 8631985836

In that case I don't understand why customers had received the log when he had 100 peers. I can't confirm it because, as I mentioned earlier, these routers are disconnected from HSRP and I don't have access to them.

regards

Hi,

What you see here is expected. The number of IKE SA's correspond to the number of peer devices. But you need to keep in mind that Cisco implements SA dangling mode (as opposed to Continuous Channel Mode), such that IKE SA's may not exist due to lifetime expiry even though the IPSec tunnel is still active. The number of IPSec SA's correspond to the number of protected ip flows, in a site-to-site configuration, each flow will consist of 2 IPSec SA's, one inbound and one outbound. With the 225 tunnel limitation on the G2 platforms, each tunnel is considered to have 2 SA's, with the following exceptions: 1) during IPSec rekey, a tunnel may consist of both the old and new SA pair, ie., 4 SA's, 2) no encryption (ESP-NULL) or weak encryption (ESP-DES) are not counted towards the 225 tunnel limit.

With your customer's problem, it's rather difficult to say what the problem is, or if it's a problem at all without any more specific information. If you believe it is a problem, then I would suggest you open a TAC case to have it invetigated.

Thanks,

Wen

Hi,

I'm also getting confused.

IPSec tunnels limit data shown in datasheets for ISR g2 or other devices indicate:

- single SA

- two SAs (which are created within IPSec Flow and coresponds ACL entry)

- or something else

Thanks in advance

Angelika

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: