topic Re: How many IPSEC VPN peers can PA-5220 handle ? in General Topics

How many IPSEC VPN peers can PA-5220 handle ?

bhushitda — Tue, 20 Mar 2018 08:08:17 GMT

Hi All,

We are having a scenario where we are supporting various vendors through IPSEC VPN and we were using Cisco ASA 5585-X for that.

The problem is we are nearing the 4000 total active tunnels now and ASA is facing some issues handling that much tunnels, so we are thinking to migrate these tunnels to PA-5220.

Now when I reffered to the data sheet of PA-5220, it shows the following :

IPSec VPN:

Site to site -- 10,000

Max IKE Peers -- 3000

Is that mean it can olny support 3000 IKE peers ?

Also, please let me know which model can support around 5000 simultaneous IPSEC site-to-site tunnels.

Thanks in Advance

Re: How many IPSEC VPN peers can PA-5220 handle ?

Remo — Tue, 20 Mar 2018 08:33:56 GMT

Hi @bhushitda

At least this means that PaloAlto officially supports "only" 3000 ike peers. You can have a lot more IPSec phase 2 tunnels, this is what the number at "site to site vpn tunnels" mean.

The PA-5260 supports 5000 ike peers. Or you could go with 3xPA-3020 (probably less expensive than a PA-5260). The PA-3020 supports up to 2000 ike peers.

Regards,

Remo

Re: How many IPSEC VPN peers can PA-5220 handle ?

bhushitda — Tue, 20 Mar 2018 13:38:05 GMT

Thanks @Remo, for your prompt reply

As per your clarification then, when my batch of 3000 IKE peers have transitioned into phase-2(ipsec) , then I can have 3000 more(and different) IKE peers ?

Can I deploy 3xPA-3020 in cluster, I think they support max 2 units. Correct me if I am wrong !!

Thanks Again for your valuable inputs !!

Regards,

Bhushit Dave

Re: How many IPSEC VPN peers can PA-5220 handle ?

Remo — Tue, 20 Mar 2018 14:33:33 GMT

Hi @bhushitda

With route based vpn (phase 2 between 0.0.0.0/0 and 0.0.0.0/0) you have one "site to site vpn tunnel" per ike gateway.

If route based isn't possible and a peer requires policy based then you need to configure proxy IDs in the ipsec tunnel configuration. These IPsec configurarions are bound to an ike gateway but per ipsec tunnel configuration you can have up to 30 proxy IDs (not absolutely sure about that). So this way you could have 30 "site to site vpn tunnels" with only one ike gateway/peer.

About the 3020s: no you cannot have a 3 node cluster. I was mentionning this because of the costs. If you want a HA setup you need 6xPA-3020, which means three independent clusters (active active I would NOT recommend here because if you have 2000 one one node and 2000 on the second node you will have issues with 2000 tunnels when there is a problem with one node or in case of updates).

But this solution allows you to grow over time --> simply buy a new cluster when you need it instead of a 5260 cluster right now.

If you want to have ALL connections on one firewall (cluster) then the PA-5260 is your only option. The PA-7080 "only" supports up to 8000 ike peers.

Hope this helps.

Regards,

Remo

Re: How many IPSEC VPN peers can PA-5220 handle ?

bhushitda — Wed, 21 Mar 2018 11:15:58 GMT

Thanks @Remo

Since all my tunnels are policy-based, I must have 5000 IKE peers able to negotiate and connect with the device.

So my only option ssems to be PA-5260, as you also suggested.

Managing 3 different HA pairs will not be a good idea so will not be going the PA-3020 way.

Thankyou very much,

Bhushit