Friday 16 September 2016

Site-to-Site VPN in multiple context mode

Site-to-Site VPN in multiple context mode (ASA 9.x)

Before configuring a Site-to-Site VPN in a multiple context mode ASA, you must assign VPN resources to the context. By default, no VPN site-to-site tunnels are allowed and you must manually configure a resource class to allow any VPN sessions, otherwise you will see the message "Tunnel Rejected: The maximum tunnel count allowed has been reached" in IKE debug outputs.

ASA 5550 with base license supports 5000 VPN sessions.
You have two contexts and want to share VPN resources assigning 2000 sessions to each context:
asa/admin(config)# changeto system
asa(config)# class vpn-2000
asa(config-class)# limit-resource vpn other 2000
asa(config-class)# limit-resource vpn burst other 1000
asa(config-class)# exit
asa(config)# context context-a
asa(config-ctx)# member vpn-2000
asa(config)# context context-b
asa(config-ctx)# member vpn-2000

vpn burst other is the number of VPN sessions allowed beyond the amount assigned to a context with vpn other. Unlike vpn other, which guarantees the sessions to the context, vpn burst other can be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.