We are having a scenario where we are supporting various vendors through IPSEC VPN and we were using Cisco ASA 5585-X for that.
The problem is we are nearing the 4000 total active tunnels now and ASA is facing some issues handling that much tunnels, so we are thinking to migrate these tunnels to PA-5220.
Now when I reffered to the data sheet of PA-5220, it shows the following :
Site to site -- 10,000
Max IKE Peers -- 3000
Is that mean it can olny support 3000 IKE peers ?
Also, please let me know which model can support around 5000 simultaneous IPSEC site-to-site tunnels.
Thanks in Advance
Solved! Go to Solution.
At least this means that PaloAlto officially supports "only" 3000 ike peers. You can have a lot more IPSec phase 2 tunnels, this is what the number at "site to site vpn tunnels" mean.
The PA-5260 supports 5000 ike peers. Or you could go with 3xPA-3020 (probably less expensive than a PA-5260). The PA-3020 supports up to 2000 ike peers.
Thanks @vsys_remo, for your prompt reply
As per your clarification then, when my batch of 3000 IKE peers have transitioned into phase-2(ipsec) , then I can have 3000 more(and different) IKE peers ?
Can I deploy 3xPA-3020 in cluster, I think they support max 2 units. Correct me if I am wrong !!
Thanks Again for your valuable inputs !!
With route based vpn (phase 2 between 0.0.0.0/0 and 0.0.0.0/0) you have one "site to site vpn tunnel" per ike gateway.
If route based isn't possible and a peer requires policy based then you need to configure proxy IDs in the ipsec tunnel configuration. These IPsec configurarions are bound to an ike gateway but per ipsec tunnel configuration you can have up to 30 proxy IDs (not absolutely sure about that). So this way you could have 30 "site to site vpn tunnels" with only one ike gateway/peer.
About the 3020s: no you cannot have a 3 node cluster. I was mentionning this because of the costs. If you want a HA setup you need 6xPA-3020, which means three independent clusters (active active I would NOT recommend here because if you have 2000 one one node and 2000 on the second node you will have issues with 2000 tunnels when there is a problem with one node or in case of updates).
But this solution allows you to grow over time --> simply buy a new cluster when you need it instead of a 5260 cluster right now.
If you want to have ALL connections on one firewall (cluster) then the PA-5260 is your only option. The PA-7080 "only" supports up to 8000 ike peers.
Hope this helps.
Since all my tunnels are policy-based, I must have 5000 IKE peers able to negotiate and connect with the device.
So my only option ssems to be PA-5260, as you also suggested.
Managing 3 different HA pairs will not be a good idea so will not be going the PA-3020 way.
Thankyou very much,
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!