Thanks for the reply and I understand the binding of subnets but what seemed strange to me was that when setting up a dynamic vpn I expected all the mappings to be under port 4500 

What I find to be happening is that the 2911 router I'm using seems to have max'd out on the number of vpns it supports and is doing a round robin when a request for an SA comes in by shutting down another SA from another mapping somewhere else on the network .

I confirmed this by deleting two particular mappings from the 4G VPN routers which were for monitoring and the SAs on other VPNs which would not come up suddenly started working and the more I reduced the monitoring mappings from the dynamic VPNs the more stable the network became.

It seems that when the router reached it's max vpn capacity it didn't send a warning, it just let me continue to create more vpns and kept paging in and out the SAs for dynamic vpns as they re-negotiated.

I have 20+ Cisco 881s as remote routers connecting to a 2911 core router, each 881 has 4 subnets per VPN (only one VPN from each 881 to the 2911)

I also have 40+ static VPNs to various countries around the world, also with 4 subnets per VPN

In addition to this I have 60 4G VPN routers with 4 subnets per VPN back to the 2911

I add about 10-20 vpns per week (mostly 4G of recent times) and according to the 2911 router I am only using 482 IPSEC sessions of the 3200 available so this came as a surprise.

Am going to Cisco today to get a recommendation for a solution to this issue

If interested I will post the result

Ok, got nothing from the Cisco merry-go-round and since I have confirmed that we hit the glass ceiling for VPNs on our 2911 running seck9 by deleting many VPNs on the 4G routers we have decided to put in a 2921 router with the HSEC optional license which states that the HSEC removes the VPN 225 limit imposed by the secK9 software.

What I would like to know is, if the 225 limit has been lifted, what is the new limit ?

Also I see I will be getting a higher throughput, which is not a bad thing

Is there anyone in the Cisco world that can answer that query ?

I'm doing roughly 10 VPNs per week and would like to think I've got some time before needing to buy another router or ASA 

Many thanks

There is no limit per-see with the HSEC licence.  However what eventually happens is that you run out of CPU and crypto power processing all the connections.  The number of sites you can support is then based on your traffic patterns.

I have had a 2921 running HSEC with 240 or so concurrent VPN connections using around 80% CPU - maxed out in my book.

You should consider moving to a Cisco 4000 series router - not a 2921.

http://www.cisco.com/c/en_in/products/routers/4000-series-integrated-services-routers-isr/series-comparison.html

The most common one I do is the 4331 with the performance and HSEC licence.  Note the performance limits are not "symmetric" numbers.  So if you have 100Mb/s coming in and 50Mb/s going out you need 150Mb/s of licenced throughput.  The 4000 series will retard their performance to the licenced number.  So take notice.

Note that if you moved to using iWAN and a dynamic routing protocol, instead of using crypto maps you only need a single SA per site.  This design change would resolve the curent VPN limit issue you have.  This is the current iWAN design guide:

http://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Oct2016/CVD-IWANDeployment-2016OCT.pdf

I typically use the 890 series of routers for branches because they come with an "advanced IP" licence and can easily flat line a 100Mb/s circuit with everything enabled.  My favourite is the 897 as it comes with ADSL, VDSL and a fibre port - so you can plug it into any Internet circuit.  Note their is also an 897-4G.

Many thanks for the reply Phil, I have taken over this legacy system using crypto maps and am a little tentative in transitioning without a lab to do a proof of concept.

I think the 2921 will last us for a while yet and it has already made a HUGE improvement to working with the remote 3/4G vpn routers and the various firewalls and Cisco 881s are now connecting much quicker and with more stability and expected responses.

I'll be reading the information you suggested over the weekend and see how that fits into our future plan.

The company (well project managers) like the idea of putting 4G routers at each client's site as they see it as quick drop'n'run solution without having to get technicians in to provide internet access and it means one less person to rely on for providing internet access.

The issue with 4G until today was that it took a long time for the 4G VPN to come up (15-20 mins in most cases). It now takes 3 seconds for the vpn to come up and changing the config is much more acceptable.

Again, many thanks for providing the information regarding the ceiling under the HSEC banner

John

Note also that you can buy an HSEC licence for your current 2911 as well to remove the limit.

Also note that a 2921-HSEC bundle comes with a better crypto chip in it - as opposed to buying a 2921 and then an HSEC licence.