Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
518
Views
1
Helpful
3
Replies

Cisco ASA IPSec-Proposal Limit

Go to solution
rashidevron
Level 1
Level 1

‎02-28-2025 07:26 AM

I am having this error message when trying to configure an IPsec-proposal on an ASA for an ikev2 IPSEC tunnel.

ERROR: ipsec policy insertion failed because the maximum proposal limit of 20 was exceeded
ERROR: Unable to insert ipsec-proposal TEST_PROPOSAL

I have been searching online through Cisco's publications, but nothing mentions a limit on ipsec-proposal.
I even checked if it was license issue on the ASA but L2L IPSec are supposed to be unlimited pending the physical resources on your ASA.
Can anyone help me with definitive answer on the limit of transform-set and ipsec-proposals? 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

‎02-28-2025 08:19 AM

@rashidevron from the ASA guides -

Configure IKEv1 and IKEv2 Policies

IKEv1 and IKEv2 each support a maximum of 20 IKE policies, each with a different set of values. Assign a unique priority to each policy that you create. The lower the priority number, the higher the priority.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa922/configuration/vpn/asa-922-vpn-config/vpn-ike.html

I would recommend standardising on the most secure ciphers, rather than having so many different variations.

View solution in original post

3 Replies 3

Go to solution
Rob Ingram
VIP
VIP

‎02-28-2025 08:19 AM

@rashidevron from the ASA guides -

Configure IKEv1 and IKEv2 Policies

IKEv1 and IKEv2 each support a maximum of 20 IKE policies, each with a different set of values. Assign a unique priority to each policy that you create. The lower the priority number, the higher the priority.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa922/configuration/vpn/asa-922-vpn-config/vpn-ike.html

I would recommend standardising on the most secure ciphers, rather than having so many different variations.

Go to solution
rashidevron
Level 1
Level 1
In response to Rob Ingram

‎02-28-2025 09:37 AM

Hello Rob,

Thanks for the info update.

I was under the impression that the policies are unlimited, however, this
makes much sense to have a set of secure predefined policies and proposals
and just apply them to your various crypto maps.

I have been configuring for years now one for each new IPSEC setup I do
with various partners. 🤦🏾‍

Thanks alot.
0 Helpful

Go to solution
rashidevron
Level 1
Level 1

‎02-28-2025 09:13 AM

Hello @Rob Ingram ,

 
Thanks for the info update.

I was under the impression that the policies are unlimited, however, this makes much sense to have a set of secure predefined policies and proposals and just apply them to your various crypto maps.

I have been configuring for years now one for each new IPSEC setup I do with various partners. rashidevron_0-1740762820276.png

 

 
Thanks alot. rashidevron_1-1740762820280.png

 

0 Helpful
Customers Also Viewed These Support Documents