Re: Maximum VPN Sessions through ASA 5510 firewall

RamuChichula · ‎06-09-2009

Hi,

In our Organisation ASA 5510 firewall is configured for Ipsec VPN.

When i check the Maximum IPsec VPN sessions,it is showing as 50 thru command

VPN# sh vpn-sessiondb summary

Active Sessions: Session Information:

LAN-to LAN :0

Peak Concurrent : 50

Remote Access :37 Concurrent Limit : 50

WebVPN :0

WebVPN Limit : 50

Email Proxy :0 Cumulative Sessions : 12890

Total Active Sessions :37 Weighted Active Load : 37

Percent Session Load : 74%

As per above statistics can u briefly explain what is Concurrent Limit : 50,

Cumulative Sessions : 12890.

Here Concurrent sessions limit showing as 50 means only 50 Users can establish VPN connection? but as per Cisco ASA 5510 can establish 250 conections.Is there any License Issue?

Pls help me regarding?

Can u explain what will be the reasons to terminates the Connection establish,Is sessions limit is a resaon?

Pls help?

Tnks

Ramu

JORGE RODRIGUEZ · ‎06-09-2009

Ramu,

Two possible reasons I can think of, one could be your firewall current license, is it base license or Sec Plus ? do show version to confirm is Sec Plus lincese.

or it could be asa code - perhaps a bug misreading the output.

Regards

Jorge Rodriguez

RamuChichula · ‎06-09-2009

Hi,

It is a Base License as per Sh Version.So is it Supports only 50 Ip sec VPN Connections?

Tnks

Ramu

JORGE RODRIGUEZ · ‎06-10-2009

Ramu, actually as per link bellow, either base or sec plus license should support up to 250..what version of code are you running, will double check this again.

http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html

Jorge Rodriguez

RamuChichula · ‎06-10-2009

Hi,

Pls have a look at the attachement of Version details of CiscoASA 5510 firewal which is using for VPN in our Organisation.Can we upgrade ASA5510 Version (7) to ASA 5510 version8.x,Is it effects more VPN sessions?

Kindly let me know?

Regards

Ramu

srue · ‎06-11-2009

according to this the 5510 base license should support 250 vpn peers:

http://www.cisco.com/en/US/docs/security/asa/asa82/license/license82.html#wp166690

but if i configure one using the ordering tool here on cisco's website, it does actually say 50 vpn peers. i'm not sure why there's a discrepancy with all of this.

RamuChichula · ‎06-11-2009

Hi,

Thanks for your prompt reply.

Regards

Ramu

JORGE RODRIGUEZ · ‎06-11-2009

Hi Steven, indeed interesting seen this and Ramu's issue, I tried loading the 7.0.7 GD code off an offline asa5510 to see output.. but box is under sec plus license, I am suspecting is code restrictions than a marketing typo .

By running 7.0.7 GD code it knocked down 100 VPN peers bringing it down from 250 to 150 limit .

This output is under version 8.0.4

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 100

Inside Hosts : Unlimited

Failover : Active/Active

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 2

GTP/GPRS : Disabled

VPN Peers : 250

WebVPN Peers : 2

AnyConnect for Mobile : Disabled

AnyConnect for Linksys phone : Disabled

Advanced Endpoint Assessment : Disabled

UC Proxy Sessions : 2

This platform has an ASA 5510 Security Plus license.

This output is under 7.0.7 same box

Cisco Adaptive Security Appliance Software Version 7.0(7)

Compiled on Fri 06-Jul-07 10:37 by builders

System image file is "disk0:/asa707-k8.bin"

Config file at boot was "startup-config"

DRhostasa5510PRI up 3 mins 33 secs

failover cluster up 3 mins 33 secs

Hardware: ASA5510, 256 MB RAM, CPU Pentium 4 Celeron 1600 MHz

Internal ATA Compact Flash, 256MB

BIOS Flash M50FW080 @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : â˜»CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: â™¥CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : â˜ºCNlite-MC-IPSECm-MAIN-2.04

0: Ext: Ethernet0/0 : address is 001f.ca97.31e8, irq 9

1: Ext: Ethernet0/1 : address is 001f.ca97.31e9, irq 9

2: Ext: Ethernet0/2 : address is 001f.ca97.31ea, irq 9

3: Ext: Ethernet0/3 : address is 001f.ca97.31eb, irq 9

4: Ext: Management0/0 : address is 001f.ca97.31ec, irq 11

5: Int: Not used : irq 11

6: Int: Not used : irq 5

Licensed features for this platform:

Maximum Physical Interfaces : Unlimited

Maximum VLANs : 25

Inside Hosts : Unlimited

Failover : Active/Standby

VPN-DES : Enabled

VPN-3DES-AES : Enabled

Security Contexts : 0

GTP/GPRS : Disabled

VPN Peers : 150

This platform has an ASA 5510 Security Plus license.

Jorge Rodriguez

RamuChichula · ‎06-13-2009

hi,

Tnks for your interest on this issue.

can we upgrade 5510 version 7.X to version 8.X,Is it support SSL VPN sessions.If supports how many connections it supports.

In ASA 5520 Version 8.X supports only 2 Webvpn and 750 Ipsec sessions ?

Tks

Ramu

RamuChichula · ‎06-15-2009

Hi,

Adding above issue is 5510 version 7.0 supports SSL any connect vpn sessions for vista users

Regards

Ramu

RamuChichula · ‎06-15-2009

Hi all,

How to configure WEBVPN service using ASA 5510 version 7.X server.?

Is ASA 5510 version 7.X supports Anyconnect client

RamuChichula · ‎06-18-2009

Hi,

Kindly look into the above post.

Tnks

Ramu

guilherme · ‎06-18-2009

Hi,

Take a look at this configuration example for WebVPN on ASA, I think it might help you configure it on your device:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a00806ea271.shtml

Which version are you running? I believe Anyconnect is only supported on 8.x and later releases.

Anyconnect 2.0: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect20/release/notes/cvcrn200.html#wp608673

Anyconnect 2.3: http://www.cisco.com/en/US/docs/security/vpn_client/anyconnect/anyconnect23/release/notes/anyconnect23rn.html#wp608673

Please rate useful posts.

Regards,

Guilherme