Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
let4
Participant
Jump to solution

Software limit on the concurrent S2S vpn tunnels for GAIA OS?

Hi CheckMates ! 
I would like to know if GAIA OS has a hard limit on concurrent S2S vpn tunnels? Or am I limited only by the performance of the hardware.
A little about the task - customer has about 10k third party devices that need to be connected using the star topology (to center only). The total bandwidth of the Internet channel is about 500 Mbit/s for ALL vpn tunnels. Traffic in these tunnels is very low.

0 Kudos
2 Solutions

Accepted Solutions
the_rock
Legend
Legend

I never really checked max value for that option before, but shows 1M...I mean, lets be honest...what fw on this planet could withstand 1 million vpn tunnels? LOL

Andy

View solution in original post

Bob_Zimmerman
Authority
Authority

Concurrent tunnels depend on RAM, not processor cores. In the past, Check Point included very little RAM in their default configurations, but they've gotten a bit better about that. Even the base 9100 has 16 GB of RAM now. That should be enough for 50k VPNs, no problem. Stick to gateway-to-gateway tunnels (both sides negotiate 0.0.0.0/0) to keep the number of keys per tunnel to a minimum.

Throughput (no matter how many tunnels) depends on processor power. As long as you have a relatively current processor, a single core can get well over a gigabit of throughput.

View solution in original post

13 Replies
_Val_
Admin
Admin

No such maximum number is listed in the Release Notes: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_RN/Content/Topics-RN/Maximum...

However, 10K devices is a lot, even if they do not generate too much traffic. the main toll will be on CA & SPI negotiations, on the central GW side.

I would advise to engage PS to validate this will work.

PhoneBoy
Admin
Admin

As @_Val_ said, there isn't a real software limit on this.
However, I will echo is point to involve someone from Check Point (either your Security Engineer or Professional Services) validate the design.

Lesley
Leader Leader
Leader

2 tips I have:

https://sc1.checkpoint.com/documents/R81/WebAdminGuides/EN/CP_R81_SitetoSiteVPN_AdminGuide/Topics-VP...

Large Scale VPN

A VPN that connects branch offices, worldwide partners, remote clients, and other environments, can reach hundreds or thousands of peers. A VPN on this scale brings new challenges.

Each time a new VPN peer is deployed in production configuration and policy installation is required for all participating VPN Gateways.

Large Scale VPN (LSV) addresses these challenges and facilitates deployment without the need for peer configuration and policy installation.

Second tips. I think there is a default software limit for VPN tunnels. Not 100% sure if this related to VPN clients or site to site vpn's. I suspect the last one. See screenshot. 

vpn-limit.jpg

-------
If you like this post please give a thumbs up(kudo)! 🙂
the_rock
Legend
Legend

I never really checked max value for that option before, but shows 1M...I mean, lets be honest...what fw on this planet could withstand 1 million vpn tunnels? LOL

Andy

the_rock
Legend
Legend

@Lesley made an excellent point with the screenshot. I had diamond guy tell me once that value does not really have anything to do with number of tunnels, meaning if you put 99k number there it would mean you can create 99,000 tunnels (not at all), but it does help if you have LOTS of tunnels, for sure.

Andy

let4
Participant

Hi! Thank you very much for your answers. It helped me a lot.

the_rock
Legend
Legend

@let4 

FWIW, below is what Benny said back in 2017, but he never really answered where he got those numbers from. But, lets assume IF they are indeed correct, I would say, logically, 6000 appliance series can probably support about 70K tunnels (just my "mathematical" estimate lol)

Andy

 

Screenshot_1.png

0 Kudos
let4
Participant

Hi! Thanks for the reply. As I understand it, there are no hard limit. The question remains how size it correctly. As far as I remember, the VPN process in GAIA is able to work in a multithreading. A large number of CPU cores should ensure stability. Is it possible to use Maestro for this task? Or it's not profitable.

0 Kudos
the_rock
Legend
Legend

Im not maestro expert at all (I know very basics of it), but I know we have customer using it and they have lots of tunnels, no issues, most of them route based actually. 

So, I would say yes to that question.

Andy

0 Kudos
let4
Participant

Thanks for help!

0 Kudos
Bob_Zimmerman
Authority
Authority

Concurrent tunnels depend on RAM, not processor cores. In the past, Check Point included very little RAM in their default configurations, but they've gotten a bit better about that. Even the base 9100 has 16 GB of RAM now. That should be enough for 50k VPNs, no problem. Stick to gateway-to-gateway tunnels (both sides negotiate 0.0.0.0/0) to keep the number of keys per tunnel to a minimum.

Throughput (no matter how many tunnels) depends on processor power. As long as you have a relatively current processor, a single core can get well over a gigabit of throughput.

PhoneBoy
Admin
Admin

There are some parts of VPN that have historically been single core, which can create some scalability issues.
R81.20 has made some additional improvements in this area, as I recall.

Maestro certainly leverages all this, but again, I would have someone from Check Point validate your proposed design.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events