We have a project where we need to terminate a large number of IPSec VPN peers. At the moment we are using Cisco ASA 5555-X appliances with VPN Premium license.
We terminate at the moment about 2000 IPSec VPN connection but we are in full deployment and we get about 2000 new peers per year. The maximum amount of VPN peers is 5000 with this platform, according to Cisco website.
All connections are very low bandwidth and we don't use any kind of fancy features on the ASA. CPU usage is less than 2% and memory usage less than 25%. Technically I am pretty sure we can easily support 6000 connections, resource-wise. The license is another issue.
Is there any way to extend the license of the ASA 5555-X to support more than 5000 IPSec VPN peers ?
The alternative would be to go to the next level, ASA 5585-X which supports up to 10000 VPN peers but that's quite more expensive. Adding another ASA 5555-X would also work but that's not very scalable and would make the whole setup more complex.
What other choices to I have for terminating 5000+ IPSec VPN peers ? What do other people use in such large scale projects while keeping things scalable ?
Best regards,
Stefan
Best Answer
You can ask Your partner for CTMP, and get better pricing (deeper discount) for 5585-X in exchange for your 5555-X. The other option (as clustering doesn't support remote VPNs) is to have some load-balancer in front of set of ASAs doing the hard job of splitting the load.