I am trying to replace a 1751 IPSec VPN that connects a single LAN behind the 1751 to ~45 remote networks behind a single peer. There are a small number of workstations (~50) and low throughput (< 1MBps) across this VPN, the biggest trouble is the number of remote networks needed.
I have tried to connect an ASA5505 Security Plus in place of the 1751 and am able to get Phase 1 and Phase 2 up, except I don't get all of my ipsec sa's and can only pass traffic to some of the remote networks. Does the 25 IPSec limit apply to multiple sa's one one peer, I've only ever seen it spoken of as a 25 peer limit?
If I understand your posting correct, you have 1751 connected to 45 remote locations via VPN tunnels. When you try to replace 1751 with 5505 with Sec plus license, only few locations able to pass the traffic.
If all the configurations correct, post 'Show Version' from ASA. There may be licensing issue. If you see only 25IPsec tunnels allowed, then its definitely license issue.
Not exactly, I have two locations one tunnel (phase 1). The "other side" peer has several networks behind it resulting in many IPSec associations (phase 2).
Without tearing down my existing tunnel so I can count how many associations I do get, I am hoping someone can tell me if phase 2 associations count against the VPN limit of ASA's.
Below is the show version of my ASA5505. It does say Total VPN Peers = 25 but I have only 1 crypto map with 1 peer. Does the license actually mean Total Security Associations = 25 given that each peer usually has few security associations?
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
Compiled on Fri 20-May-11 16:00 by builders
System image file is "disk0:/asa825-k8.bin"
Config file at boot was "startup-config"
VPNASA up 11 mins 32 secs
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05
0: Int: Internal-Data0/0 : address is 442b.03d2.xxxx, irq 11
1: Ext: Ethernet0/0 : address is 442b.03d2.xxxx, irq 255
2: Ext: Ethernet0/1 : address is 442b.03d2.xxxx, irq 255
3: Ext: Ethernet0/2 : address is 442b.03d2.xxxx, irq 255
4: Ext: Ethernet0/3 : address is 442b.03d2.xxxx, irq 255
5: Ext: Ethernet0/4 : address is 442b.03d2.xxxx, irq 255
6: Ext: Ethernet0/5 : address is 442b.03d2.xxxx, irq 255
7: Ext: Ethernet0/6 : address is 442b.03d2.xxxx, irq 255
8: Ext: Ethernet0/7 : address is 442b.03d2.xxxx, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.xxxx, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 20, DMZ Unrestricted
Inside Hosts : Unlimited
Failover : Active/Standby
VPN-DES : Enabled
VPN-3DES-AES : Enabled
SSL VPN Peers : 2
Total VPN Peers : 25
Dual ISPs : Enabled
VLAN Trunk Ports : 8
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has an ASA 5505 Security Plus license.
Serial Number: XXXXXXXXXXX
Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
Configuration register is 0x1
Configuration has not been modified since last system restart.
To my knowledge, one crypto should take one license-but I may be wrong. Check by issues ;show vpn-sessiondb summary- the ASA should show you many in use and license info as well. Once you have that information, try to tear down one SA and see of that changes. That explains the case.