Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hardik_Patil_66
Explorer
Jump to solution

Limitation on Ipsec tunnel

 

Can you please update on below queries.

1) How much load can we put on single Tunnel. Is there any traffic limitation over a single IPsec VPN Tunnel?

2) How many IPsec Tunnel can be created? Is there any limitation for creation the IPsec Tunnel ?

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin

Ok, I have moved your post to a more appropriate space. 

Answer to both questions: it depends on your Security Gateway performance. There is no hard limit on both throughput and amount of VPN tunnels, but more you have, more CPU time it will consume. 

View solution in original post

0 Kudos
10 Replies
_Val_
Admin
Admin

Why is this in Maestro space? Are you asking specifically about Maestro environment? Or is this a general question?

0 Kudos
Hardik_Patil_66
Explorer

This is the general question

0 Kudos
_Val_
Admin
Admin

Ok, I have moved your post to a more appropriate space. 

Answer to both questions: it depends on your Security Gateway performance. There is no hard limit on both throughput and amount of VPN tunnels, but more you have, more CPU time it will consume. 

0 Kudos
Hardik_Patil_66
Explorer

Thanks for the update

0 Kudos
the_rock
Legend
Legend

Hey Hardik,

@_Val_ is indeed 100% correct. There is definitely not a hard limit to this, it all depends on how powerful device is. Its sort of similar to discussion as to what is max number of regular/NAT rules one can create in smart console. There was never set limit to it. Honestly, in my 15 years dealing with CP, the MOST VPN tunnels I see someone have was 133 (I still remember that number well lol). And, consider this was back in R77.xx days, so now the code is way better/more stable. Also, same applies for the bandwidth as well.

Andy

0 Kudos
PhoneBoy
Admin
Admin

It also depends on software version.
In the just released R81.20, we done a number of things to improve performance and stability for VPN:

  • Scalable VPN performance - 3 times faster to process simultaneous Remote Access and Site to Site VPN connections.
  • Major performance and stability improvement for Remote Access VPN and Site to Site VPN that delivers a significantly greater capacity for VPN tunnels.
  • Extended Security Gateway certificate validation capabilities for quicker authentication.
  • Resilient VPN architecture - multi-process architecture to handle IKE negotiations in dedicated scalable daemons, providing unprecedented resiliency.

If VPN performance is a concern, upgrading (or using) R81.20 is highly recommended.

0 Kudos
the_rock
Legend
Legend

Indeed, very true! I personally found with R81.10 and R81.20 that VPN performs much faster.

0 Kudos
Blason_R
Leader
Leader

Unfortunately I did not get a chance to upgrade it to R80.20 however the most desired thing is to create a separate VPN tunnel if we have multiple ISPs. Checkpoint still not able to resolve the issue.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Ruan_Kotze
Advisor

I once had case where a customer logged a ticket due to a 5800 gateway being unresponsive, CPU's pegged etc.  did some troubleshooting and narrowed it down to VPND.  Customer of course insisted nothing changed in the environment.

The gateway was the hub in a community with about 100 smaller sites hanging off it. Eventually I managed to run vpn tu and saw there was something like 30 000 tunnels!!!  Long story short - one of the customer admins was troubleshooting an IPSEC issue the previous evening and changed the VPN Tunnel sharing setting from "per pair of gateways" to "per pair of hosts" and due to traffic patterns the poor gateways started building tunnels until it almost melted:-)

Think I might still have a screenhot of the VPN TU output kicking around somewhere:-)

0 Kudos
the_rock
Legend
Legend

O man, that made me laugh, though its not funny, but still... : - ).Yea, I think 30k tunnels would "MELT" any appliance LOL

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events