If the local configuration does not specify a group, the ASA assumes a default of group2. If the local configuration does not specify PFS, it accepts any offer of PFS from the peer. The best practice is to configure all VPN peers with PFS and matching group.
Consider a failover pair of Cisco ASA 5525-X appliances where both the primary and secondary units have the active AnyConnect Premium Peers licenses for 500 sessions each. After aggregating these capacities, each device in this failover pair allows up to 750 sessions for this feature. Other VPN Peers : 50 Total VPN Peers : 50 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled Total UC Proxy Sessions : 2 Botnet Traffic Filter : Enabled VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled SSL VPN Peers : 2 Total VPN Peers : 750 Shared License : Disabled AnyConnect for Mobile : Enabled AnyConnect for Cisco VPN Phone : Disabled SO we currently have an asa5520 that has a VPN Plus License. when i do show ver. this is what I get. Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled SSL VPN Peers : 2 Total VPN Peers : 750 Shared License : Disabled AnyConnect for Mobile : Disabled Company purchased a few months ago a Cisco ASA 5512-x to replace a PIX. The ASA was installed about a month ago and since then the ASA randomly reboots every few days. The device is definitely rebooting as the uptime changes and it goes down for about 4 minutes.
This platform has an ASA 5520 VPN Plus license. You'll notice that in the output I have only two SSL VPN Peers. This is because Cisco makes you license the SSL VPN peers.
Petes-ASA# show version Cisco Adaptive Security Appliance Software Version 9.8(2)24 Firepower Extensible Operating System Version 2.2(2.75) Device Manager Version 7.8(2)151 Compiled on Thu 01-Mar-18 20:21 PST by builders System image file is "disk0:/asa982-24-lfbff-k8.SPA" Config file at boot was "startup-config" Petes-ASA up 146 days 1 hour
1) Ensure there is enough AnyConnect Premium Peers installed on the new ASA. The ASA comes with only two AnyConnect Premium Peers so a maximum of two AnyConnect clients can connect at the same time. The total amount of AnyConnect Premium Peers is ASA platform dependent. ciscoasa# show version Cisco Adaptive Security Appliance Software Version 9
Apr 18, 2013 · More Cisco ASA Topics: How to Connect to Cisco ASA? Cisco ASA 5520 Basic Configuration Guide. Configuring Static NAT on a Cisco ASA Security Appliance. Site-to-Site IPSEC VPN between Two Cisco ASA 5520. How to Configure Dual ISP on Cisco ASA 5505? Example Show: How to Configure a Cisco ASA 5540 for Video Conferencing for Polycom Device? ASA Performance and Capabilities on Firepower Appliances Stateful inspection firewall throughput 20 Gbps Stateful inspection firewall throughput (multiprotocol) 10 Gbps Concurrent firewall connections 3 million New connections per second 75000 IPsec VPN throughput (450B UDP L2L test) 2 Gbps IPsec/Cisco AnyConnect/Apex site-to-site VPN peers 10000 Consider a failover pair of Cisco ASA 5525-X appliances where both the primary and secondary units have the active AnyConnect Premium Peers licenses for 500 sessions each. After aggregating these capacities, each device in this failover pair allows up to 750 sessions for this feature. Other VPN Peers : 50 Total VPN Peers : 50 Shared License : Disabled AnyConnect for Mobile : Disabled AnyConnect for Cisco VPN Phone : Disabled Advanced Endpoint Assessment : Disabled Total UC Proxy Sessions : 2 Botnet Traffic Filter : Enabled VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled SSL VPN Peers : 2 Total VPN Peers : 750 Shared License : Disabled AnyConnect for Mobile : Enabled AnyConnect for Cisco VPN Phone : Disabled SO we currently have an asa5520 that has a VPN Plus License. when i do show ver. this is what I get. Maximum Physical Interfaces : Unlimited Maximum VLANs : 150 Inside Hosts : Unlimited Failover : Active/Active VPN-DES : Enabled VPN-3DES-AES : Enabled Security Contexts : 2 GTP/GPRS : Disabled SSL VPN Peers : 2 Total VPN Peers : 750 Shared License : Disabled AnyConnect for Mobile : Disabled