Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
936
Views
0
Helpful
2
Replies

Count Subnets on Cisco ASA IPsec

MindVersal
Level 1
Level 1

‎10-28-2018 05:51 AM - edited ‎02-21-2020 09:29 PM

Hello!

 

Interesting, how mach can I add subnets to the IPsec tunnel on Cisco ASA?

Now, when I add to the tunnel, some subnets are not visible in the tunnel,

but after the rebuild, others not are visible...

 

Configuration:

Cisco ASA 5515-X (~30 subnets) <= IPsec (ikev1) => Cisco ASA 5520 (~20 subnets)

 

What do you think about this interesting situation?

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-28-2018 07:26 AM

The IKEv1 SA will establish when any interesting traffic is presented to a tunnel endpoint.

 

The IPsec SAs (which the subnets are included in) form dynamically when pairwise traffic flows. So some might remain inactive if there's no communications between those particular subnets.

0 Helpful

MindVersal
Level 1
Level 1
In response to Marvin Rhoads

‎10-28-2018 12:24 PM

Yes, when traffic appears, subnets appears in tunnel,
but the problem is that connectivity is not established between some pairs of subnets.
(I have a ping between subnets, and sometimes there are pairs of subnets in the tunnel,
but sometimes they are not)

Now tunnel ID is 45 for one IPsec tunnel, but under load increases to 170.
(This is count pairs subnets in IPsec tunnel)

Is it possible, what a non-stable operation of a tunnel is due to the fact that there are many subnets in IPsec?
And where to find the number of subnets that can be added to a single tunnel?

Thanks for answers!
0 Helpful
Customers Also Viewed These Support Documents