Site-to-Site VPN in multiple context mode (ASA 9.x)
Before configuring a Site-to-Site VPN in a multiple context
mode ASA, you must assign VPN resources to the context. By default, no VPN
site-to-site tunnels are allowed and you must manually configure a resource
class to allow any VPN sessions, otherwise you will see the message
"Tunnel Rejected: The maximum tunnel count allowed has been reached"
in IKE debug outputs.
Example:
ASA 5550 with base license supports 5000 VPN sessions.
You have two contexts and want to share VPN resources
assigning 2000 sessions to each context:
asa/admin(config)#
changeto system
asa(config)#
class vpn-2000
asa(config-class)#
limit-resource vpn other 2000
asa(config-class)#
limit-resource vpn burst other 1000
asa(config-class)#
exit
asa(config)#
context context-a
asa(config-ctx)#
member vpn-2000
asa(config-ctx)#exit
asa(config)#
context context-b
asa(config-ctx)#
member vpn-2000
asa(config-ctx)#exit
vpn burst other is the number of VPN sessions allowed beyond
the amount assigned to a context with vpn other. Unlike vpn other, which
guarantees the sessions to the context, vpn burst other can be oversubscribed;
the burst pool is available to all contexts on a first-come, first-served
basis.