cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
313
Views
0
Helpful
1
Replies
Highlighted
Beginner

Multi Context VPN Resource Management

Our shop does not utilize many Anyconnect sessions, or S2S VPN tunnels.  However, we do have an ASA running in Multi Context mode that we will be utilizing for these 2 functions.  My question is pretty basic, in that I know by default VPN resources are disabled, and require a resource class to be setup.  We have 20K Anyconnect Peers, and 20K VPN Other (s2s) license available.  We will be creating 5 different contexts for our various s2s, and anyconnect function. Some will be used for s2s and some anyconnect.  Should I create one big resource class and make each context a member, or break it up into Anyconnect, and S2S resouce classes?  If I create one big class, will each context basically share the resources of that class?  Do the classes have to divide up the resources to the total of licenses?

 

When I say we don't utilize these services much, I mean we won't even be touching 100-200 Anyconnect sessions, or s2s tunnels across all contexts combined, much less 20K.

 

Thanks

1 ACCEPTED SOLUTION

Accepted Solutions
Beginner

Re: Multi Context VPN Resource Management

Found my answer for the most part.  Basically, you just can't exceed the appliance limitation, or license limit when you allocate a resource class to a context. SO if you are licensed for 5000 Anyconnect peers, and create class anyconnect with a limit of 2500, you can only apply that to 2 contexts.  VPN bursts can be used for oversubscription and sharing between contexts but not Anyconnect, or VPN other resources.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-contexts.html#ID-2171-000001d3

1 REPLY
Beginner

Re: Multi Context VPN Resource Management

Found my answer for the most part.  Basically, you just can't exceed the appliance limitation, or license limit when you allocate a resource class to a context. SO if you are licensed for 5000 Anyconnect peers, and create class anyconnect with a limit of 2500, you can only apply that to 2 contexts.  VPN bursts can be used for oversubscription and sharing between contexts but not Anyconnect, or VPN other resources.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/ha-contexts.html#ID-2171-000001d3

CreatePlease to create content
Ask the Expert- Webex Hybrid Services Solutions