Can anyone help out with experiences on SRX240 IPSec VPN tunnels? Specifically the 'actual' maximum number supported?
I posed a question to JTAC to clarify the number (1000 according to the datasheet), and was advised that the total IPSec VPN concurrency was tested without any other feature enabled, and that therefore it may do more, and that the number is theoretical. Thats a bit of a fluffy answer.
We have a customer who currently has 944 on their 240 cluster, and we're obviously wondering just how much further the 240 will go (there are some more tunnels to go on in the near-future).
So, in everyone's experience -
1. Is the 1000 tunnel number a hard limit or theoretical?
2. If it's theorectical, does anyone have experience past 1000 tunnels? if so, how many?
PS: Let's just ignore how long it takes to commit that config, shall we? 🙂
Some limits on the spec sheet are hard coded and some are best estimates based on resources.
JTAC is your best source to know for certain which applies in any particular case.
For the resource based estimates your milage may vary as you note. I think the best way to approach this on a particular deploy is to look at the history of the device in question in your network monitoring system for CPU, memory and bandwidth. As the usage changes over time you can see what the device is actually able to handle in that traffic pattern and configuration.
Steve Puluka BSEET - Juniper Ambassador IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP) http://puluka.com/home
Are you running A/A or A/P cluster? In A/P all tunnels terminate on the active node. In A/A tunnels can terminate on either node. So I think theoretically speaking, it should be able to easilly accommodate close to 2k concurent tunnels in A/A mode.
[KUDOS PLEASE! If you think I earned it! If this solution worked for you please flag my post as an "Accepted Solution" so others can benefit..]
This thread is a bit old now, but I thought I'd post the fact that the SRX240 cluster is happy with more than 1000 tunnels. We put another 17 on there this morning and it hasn't fallen into a blackhole.
ipperf@SRX240H2-02> show security ipsec security-associations