SRX

Hello Support Community,

I would like to get some feedback from folks supporting networks via IPsec tunnels using SRX devices. From a design prospective and in real world scenarios, what is the maximum number of users that you would be able to support at a remote branch office via IPsec tunnel? let's assume that you have redundant ISP connections and plenty of bandwidth available, redundant tunnels as well as redundant hardware.

I have gone through datasheet and it claims to be "unrestricted", but in the real world, what is a breaking point before you start seeing issues related to performance, reliability, and peace of mind 🙂

http://www.juniper.net/us/en/local/pdf/datasheets/1000281-en.pdf

is the maximum 200, 500, 1000 users?

Hi

I have gone through the document but i do not see where it is mentioned as unlimited for VPN.

As per that sheet , maximum concurrent tunnels is 3000 and maximum remote users is 500

Regards

rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too

The user "unrestricted" label is a legacy from the bad old days of small office firewalls many years ago.  Many vendors used to count the number of trust zone ip addresses that crossed the firewall and stop setting up new new sessions when the "user limit" was reached by the counter.  As a result vendors that did not apply a user count restriction in their software, like Netscreen/Juniper, would put the "unrestricted users" into thei spec sheets.

Once a spec hits the sheet they pretty much never go away.

Number of users is not a good measure of firewall usage universally but it can be consistent within a particular organization.  Typically you are going to hit one of the limits of the system and which limit you hit varies depending on your company usage.  Bandwidth, number of sessions, number of IPSEC tunnels and bandwidth limit for IPSEC are the most common limits to cross in my experience for a remote site.

If you have some existing sites you can take a look at these for actual usage versus number of your users.  This then can give you a rough idea of what you need for your own user profile.

Thank you Steve for your input. I do have a number of small IPsec sites, largest one with 35 users. I was just looking for some feedback in the real world from the community as to how large in terms of users and maybe bandwidth utilization are for their remote IPsec sites, if they have experienced any issues with performance or reliability of IPsec tunnels in SRX when reaching x number of users or load. I understand there is going to be hardware limitations based on the different SRX models, but let's just assume that we are under the devices maximum performance capacity, and the budget is pretty flexible so we have plenty of bandwidth and redundant everything. I'm considering adding a larger site with about 100 folks (equal to 3-4 times the network load of my largest site to this day, meaning i'm within maximum performance capacity of a pair of SRX240s in this case).  Once again thanks for your feedback.

rparthi, please see the screenshot.

Hi Delmiro,

Thanks for update.

I was referening to IPSEC section of datasheet.

There is no restriction to number of users who will be using the vpn resources.

SRX do not make use of USER information for vpn traffic.

For SRX , it is only number of connections from source and destination machines.

As long as number of concurrent session is under device capacity , you will not see any issues like throughput or latency.

Below is Ipsec section in the datasheet. it mentions about number of tunnels supported.

Note : there is remote user list as well . It is for Dynamic Client to Site VPN and not for site to site VPN>

Regards,

rparthi

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated Too