How to reduce the number of Site-to-Site VPN Tunnels configured on the Firewall

How to reduce the number of Site-to-Site VPN Tunnels configured on the Firewall

10948
Created On 03/23/23 17:57 PM - Last Modified 11/29/23 17:27 PM


Objective


  • Check the maximum number of Site-to-Site VPN Tunnels supported by the Firewall.
  • Check the current number of configured Site-to-Site VPN Tunnels on the Firewall.
  • Reduce the number of Site-to-Site VPN Tunnels of a locally managed Firewall.
  • Reduce the number of Site-to-Site VPN Tunnels of a Panorama managed Firewall.

Environment


  • NGFW
  • Site-to-Site VPN Tunnels
  • IPsec Tunnel

Procedure


  1. Check the maximum capacity of Site-to-Site VPN Tunnels for your Firewall.
    1. Use Firewall CLI: 
      show system state filter cfg.general.max* | match max-tunnel
      1. Note: In case the value is listed in hexadecimal format 0x then it needs to be converted to decimal. Most recent platforms and PAN-OS versions will list the value in decimal.
    2. Use the Product Selection web page click Show More under your platform name to find the maximum Site to site (with proxy id).
    3. For VM-Flex Firewall running a version lower than 10.2.x, refer Maximum Limits Based on Tier and Memory. For versions 10.2.x and higher, refer to Maximum Limits Based on Tier and Memory. Note that the memory size (memory profile) determines the capacity of the firewall. Check the memory profile "vm-cap-tier:" in the output of the FW CLI command:
  2. Count the current number of Site to Site IPSec Tunnels from NETWORK > IPSec Tunnels:
    1. Check the number of items
How to check the number of Items for IPSec tunnel configured.
  1. If you have configured Proxy IDs under the IPSec Tunnel window > Proxy IDs, then each Proxy ID configured will be counted as a Site to Site IPSec Tunnel. So if an IPSec tunnel has n Proxy IDs configured then you need to add (n-1) to the number of items listed in 2.a and repeat the same for each IPSec Tunnel configured with Proxy IDs to compute the Total of Site to Site IPSec Tunnels configured on your FW.
 
  1. For locally managed Firewall:
    1. Delete the unused IPSec Tunnels configured under NETWORK > IPSec Tunnels.
    2. Delete the unused Proxy IDs configured under NETWORK > IPSec Tunnels > Proxy IDs.
    3. SuperNet the Proxy IDs configured under NETWORK > IPSec Tunnels > Proxy IDs. Each Proxy ID entry is counted towards the total number of Site to Site IPSec Tunnel, consider using 10.0.0.0/8 instead of 10.1.0.0/16 and 10.2.0.0/16.
  2. For Panorama managed Firewall:
    1. Revisit your device-group hierarchy: consider placing the FW(s) with lesser capacity limit under a different device-group than the FW(s) with a higher capacity limit.
    2. Delete the unused IPSec Tunnels configured under Device Groups > NETWORK > IPSec Tunnels.
    3. Reduce the number of Proxy IDs configured under NETWORK > IPSec Tunnels > Proxy IDs.
  3. If even after following the recommendation listed above you are unable to reduce the number of Site-to-Site VPN Tunnels below the capacity limit of the FW then:
    1. For a hardware FW consider upgrading your FW to a higher capacity platform.
    2. For a VM-Flex FW if its running a version lower than 10.2.0, consider upgrading to a version greater than 10.2.0 to take advantage of the increased configuration capacity offered by the Memory Scaling of the VM-Series Firewall Feature. Also consider increasing the FW memory/RAM to increase the capacity of your VM-Flex FW.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHTrCAM&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language