[c-nsp] How to terminate 100.000 IPsec VPN clients?

Jeff Kell jeff-kell at utc.edu
Tue Sep 6 22:05:46 EDT 2011


On 9/6/2011 8:09 PM, Chris Evans wrote:
> Checked the 5585 limits?  It's supposed to blow a 5580 out of the water...
> On paper.

I don't think anyone has mentioned it yet, but there is also ASA VPN
Load Balancing clusters.  You can combine a number of boxes together,
configure the cluster (participation channel/key plus a virtual IP for
the cluster) members.

Clients connect to the cluster, it forwards them to the member with the
least load.

It's a bit "manual" setting up the members (you have to insure all
insides/outsides are on same subnets, with equivalent VPN
groups/policies across the board, there's no auto-synchronization like
you get with failover pairs), but it works.  Each box will need its own
internal VPN IP pool and routing, etc.

Just got through doing a POC of a small cluster (as  opposed to an
active/standby pair) on latest 8.x software, but given that I'm
terminating several orders of magnitude less than 100K clients <grin>
I'll take the simplicity of the failover pair.

Jeff


More information about the cisco-nsp mailing list