Friday, 16 September 2016

Site-to-Site VPN in multiple context mode

Site-to-Site VPN in multiple context mode (ASA 9.x)

Before configuring a Site-to-Site VPN in a multiple context mode ASA, you must assign VPN resources to the context. By default, no VPN site-to-site tunnels are allowed and you must manually configure a resource class to allow any VPN sessions, otherwise you will see the message "Tunnel Rejected: The maximum tunnel count allowed has been reached" in IKE debug outputs.

Example:
ASA 5550 with base license supports 5000 VPN sessions.
You have two contexts and want to share VPN resources assigning 2000 sessions to each context:
asa/admin(config)# changeto system
asa(config)# class vpn-2000
asa(config-class)# limit-resource vpn other 2000
asa(config-class)# limit-resource vpn burst other 1000
asa(config-class)# exit
asa(config)# context context-a
asa(config-ctx)# member vpn-2000
asa(config-ctx)#exit
asa(config)# context context-b
asa(config-ctx)# member vpn-2000
asa(config-ctx)#exit

vpn burst other is the number of VPN sessions allowed beyond the amount assigned to a context with vpn other. Unlike vpn other, which guarantees the sessions to the context, vpn burst other can be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.