07-03-2016 03:36 AM - edited 02-21-2020 08:53 PM
Hi Guys,
we are having 3900 router which is currently having below DMVPN s router acting as a HUB
C3900-SPE250/K9(CISCO3945-CHASSIS)
c3900e-universalk9-mz.SPA.151-4.M4.bin
"Need advise whether should buy HSEC license if it goes up to 125 spokes(sites) connecting via this 3945 dmVPN router"
below are the required command output of the current settings in router having seck9 license .
Upon researching, I found the following information.
Without the HSEC solution, the 3945 ISR supports 255 IPSec tunnel. If you add HSEC, it can scale up to 2000 IPSec tunnel.
Now if you see the output below IPSec-Session : 212 active, 6399 max, & Number of tunnels max shows 225 so for above mentioned new spokes will that HSEC license is require (as there 2 things IPSEC sessions and active tunnels)
Currently we have around 110 Spokes (sites) connected to 3945 hub router.
Reference:
HSEC-K9 License
http://www3.cisco.com/c/en/us/products/collateral/routers/3900-series-integrated-services-routers-isr/q-and-a-c67-606268.html
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/118746-technote-isr-00.html#anc1
show crypto eli detail
show crypto isa sa count
show crypto ipsec sa count
show platform cerm-information
----------------------------------
sh crypto eli
Hardware Encryption : ACTIVE
Number of hardware crypto engines = 1
CryptoEngine Onboard VPN details: state = Active
Capability : IPPCP, DES, 3DES, AES, IPv6, GDOI, FAILCLOSE, HA
IPSec-Session : 212 active, 6399 max, 0 failed
-------------------------------------
sh crypto isakmp sa count
Active ISAKMP SA's: 101
Standby ISAKMP SA's: 0
Currently being negotiated ISAKMP SA's: 0
=============================
sh crypto ipsec sa cou
IPsec SA total: 208, active: 204, rekeying: 4, unused: 0, invalid: 0
============================
#sh platform cerm-information
Crypto Export Restrictions Manager(CERM) Information:
CERM functionality: ENABLED
----------------------------------------------------------------
ResourceMaximum LimitAvailable
----------------------------------------------------------------
Tx Bandwidth(in kbps) 8500085000
Rx Bandwidth(in kbps) 8500085000
Number of tunnels 225123
Number of TLS sessions 10001000
Resource reservation information:
D - Dynamic
-----------------------------------------------------------------------
ClientTx BandwidthRx BandwidthTunnels TLS Sessions
(in kbps) (in kbps)
-----------------------------------------------------------------------
VOICE 0 0 0 0
IPSEC D D 102 N/A
SSLVPN D D 0 N/A
Statistics information:
Failed tunnels : 0
Failed sessions : 0
Failed tx bandwidth: 0
Failed rx bandwidth: 0
Failed encrypt pkts: 0
Failed decrypt pkts: 0
Failed encrypt pkt bytes: 0
Failed decrypt pkt bytes: 0
Passed encrypt pkts: 23746321255
Passed decrypt pkts: 20079132018
Passed encrypt pkt bytes: 21892230873508
Passed decrypt pkt bytes: 9815317896176
==========================
Solved! Go to Solution.
07-03-2016 12:58 PM
Yes, I would buy the HSEC licence. With that many spokes I would have suggested you buy it anyway, regardless of the SA count.
07-03-2016 12:58 PM
Yes, I would buy the HSEC licence. With that many spokes I would have suggested you buy it anyway, regardless of the SA count.
07-04-2016 04:46 AM
Thanks Philip
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide