Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4040
Views
0
Helpful
4
Replies

ASA 5505 IPSec SA limit?

longkm123
Level 1
Level 1

‎05-03-2012 05:34 PM - edited ‎02-21-2020 06:02 PM

I am trying to replace a 1751 IPSec VPN that connects a single LAN behind the 1751 to ~45 remote networks behind a single peer.  There are a small number of workstations (~50) and low throughput (< 1MBps) across this VPN, the biggest trouble is the number of remote networks needed.

I have tried to connect an ASA5505 Security Plus in place of the 1751 and am able to get Phase 1 and Phase 2 up, except I don't get all of my ipsec sa's and can only pass traffic to some of the remote networks.  Does the 25 IPSec limit apply to multiple sa's one one peer, I've only ever seen it spoken of as a 25 peer limit?  

Labels:
0 Helpful
4 Replies 4

mvsheik123
Level 7
Level 7

‎05-03-2012 06:47 PM

Hi,

If I understand your posting correct, you have 1751 connected to 45 remote locations via VPN tunnels. When you try to replace 1751 with 5505 with Sec plus license, only few locations able to pass the traffic.

If all the configurations correct, post 'Show Version' from ASA. There may be licensing issue. If you see only 25IPsec tunnels allowed, then its definitely license issue.

Thx

MS

0 Helpful

longkm123
Level 1
Level 1

‎05-04-2012 06:20 AM

Not exactly, I have two locations one tunnel (phase 1). The "other side" peer has several networks behind it resulting in many IPSec associations (phase 2).

Without tearing down my existing tunnel so I can count how many associations I do get, I am hoping someone can tell me if phase 2 associations count against the VPN limit of ASA's.

0 Helpful

longkm123
Level 1
Level 1
In response to longkm123

‎05-04-2012 09:40 AM

Below is the show version of my ASA5505.  It does say Total VPN Peers = 25 but I have only 1 crypto map with 1 peer.  Does the license actually mean Total Security Associations = 25 given that each peer usually has few security associations?

-------------------------------------------------------------------------------------

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

VPNASA up 11 mins 32 secs

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0    : address is 442b.03d2.xxxx, irq 11

1: Ext: Ethernet0/0         : address is 442b.03d2.xxxx, irq 255

2: Ext: Ethernet0/1         : address is 442b.03d2.xxxx, irq 255

3: Ext: Ethernet0/2         : address is 442b.03d2.xxxx, irq 255

4: Ext: Ethernet0/3         : address is 442b.03d2.xxxx, irq 255

5: Ext: Ethernet0/4         : address is 442b.03d2.xxxx, irq 255

6: Ext: Ethernet0/5         : address is 442b.03d2.xxxx, irq 255

7: Ext: Ethernet0/6         : address is 442b.03d2.xxxx, irq 255

8: Ext: Ethernet0/7         : address is 442b.03d2.xxxx, irq 255

9: Int: Internal-Data0/1    : address is 0000.0003.xxxx, irq 255

10: Int: Not used            : irq 255

11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces    : 8

VLANs                          : 20, DMZ Unrestricted

Inside Hosts                   : Unlimited

Failover                       : Active/Standby

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

SSL VPN Peers                  : 2

Total VPN Peers                : 25

Dual ISPs                      : Enabled

VLAN Trunk Ports               : 8

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has an ASA 5505 Security Plus license.

Serial Number: XXXXXXXXXXX

Running Activation Key: 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000

Configuration register is 0x1

Configuration has not been modified since last system restart.

0 Helpful

mvsheik123
Level 7
Level 7
In response to longkm123

‎05-04-2012 11:26 AM

Hi,

To my knowledge,  one crypto should take one license-but I may be wrong. Check by issues ;show vpn-sessiondb summary- the ASA should show you many in use and license info as well. Once you have that information, try to tear down one SA and see of that changes. That explains the case.

hth

MS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents