This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hardik_Patil_66
Explorer
‎2022-11-30 02:31 AM
Jump to solution

Limitation on Ipsec tunnel

 

Can you please update on below queries.

1) How much load can we put on single Tunnel. Is there any traffic limitation over a single IPsec VPN Tunnel?

2) How many IPsec Tunnel can be created? Is there any limitation for creation the IPsec Tunnel ?

0 Kudos
1 Solution

Accepted Solutions
_Val_
Admin
Admin
‎2022-11-30 03:23 AM
In response to Hardik_Patil_66
Jump to solution

Ok, I have moved your post to a more appropriate space. 

Answer to both questions: it depends on your Security Gateway performance. There is no hard limit on both throughput and amount of VPN tunnels, but more you have, more CPU time it will consume. 

View solution in original post

0 Kudos
10 Replies
_Val_
Admin
Admin
‎2022-11-30 03:04 AM
Jump to solution

Why is this in Maestro space? Are you asking specifically about Maestro environment? Or is this a general question?

0 Kudos
Hardik_Patil_66
Explorer
‎2022-11-30 03:11 AM
In response to _Val_
Jump to solution

This is the general question

0 Kudos
_Val_
Admin
Admin
‎2022-11-30 03:23 AM
In response to Hardik_Patil_66
Jump to solution

Ok, I have moved your post to a more appropriate space. 

Answer to both questions: it depends on your Security Gateway performance. There is no hard limit on both throughput and amount of VPN tunnels, but more you have, more CPU time it will consume. 

0 Kudos
Hardik_Patil_66
Explorer
‎2022-11-30 03:35 AM
In response to _Val_
Jump to solution

Thanks for the update

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-11-30 05:39 AM
Jump to solution

Hey Hardik,

@_Val_ is indeed 100% correct. There is definitely not a hard limit to this, it all depends on how powerful device is. Its sort of similar to discussion as to what is max number of regular/NAT rules one can create in smart console. There was never set limit to it. Honestly, in my 15 years dealing with CP, the MOST VPN tunnels I see someone have was 133 (I still remember that number well lol). And, consider this was back in R77.xx days, so now the code is way better/more stable. Also, same applies for the bandwidth as well.

Andy

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-30 11:04 AM
In response to the_rock
Jump to solution

It also depends on software version.
In the just released R81.20, we done a number of things to improve performance and stability for VPN:

  • Scalable VPN performance - 3 times faster to process simultaneous Remote Access and Site to Site VPN connections.
  • Major performance and stability improvement for Remote Access VPN and Site to Site VPN that delivers a significantly greater capacity for VPN tunnels.
  • Extended Security Gateway certificate validation capabilities for quicker authentication.
  • Resilient VPN architecture - multi-process architecture to handle IKE negotiations in dedicated scalable daemons, providing unprecedented resiliency.

If VPN performance is a concern, upgrading (or using) R81.20 is highly recommended.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-11-30 11:41 AM
In response to PhoneBoy
Jump to solution

Indeed, very true! I personally found with R81.10 and R81.20 that VPN performs much faster.

0 Kudos
Blason_R
MVP Gold
MVP Gold
‎2022-12-01 04:56 AM
In response to PhoneBoy
Jump to solution

Unfortunately I did not get a chance to upgrade it to R80.20 however the most desired thing is to create a separate VPN tunnel if we have multiple ISPs. Checkpoint still not able to resolve the issue.

Thanks and Regards,
Blason R
CCSA,CCSE,CCCS
0 Kudos
Ruan_Kotze
MVP Gold
MVP Gold
‎2022-12-01 02:13 AM
In response to the_rock
Jump to solution

I once had case where a customer logged a ticket due to a 5800 gateway being unresponsive, CPU's pegged etc.  did some troubleshooting and narrowed it down to VPND.  Customer of course insisted nothing changed in the environment.

The gateway was the hub in a community with about 100 smaller sites hanging off it. Eventually I managed to run vpn tu and saw there was something like 30 000 tunnels!!!  Long story short - one of the customer admins was troubleshooting an IPSEC issue the previous evening and changed the VPN Tunnel sharing setting from "per pair of gateways" to "per pair of hosts" and due to traffic patterns the poor gateways started building tunnels until it almost melted:-)

Think I might still have a screenhot of the VPN TU output kicking around somewhere:-)

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2022-12-01 05:05 AM
In response to Ruan_Kotze
Jump to solution

O man, that made me laugh, though its not funny, but still... : - ).Yea, I think 30k tunnels would "MELT" any appliance LOL

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events