Welcome to ISAserver.org

Is there a practical limit on the number of site-to-site connections?

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> VPN >> Is there a practical limit on the number of site-to-site connections?

Page: [1]

Message

<< Older Topic Newer Topic >>

Is there a practical limit on the number of site-to-sit... - 17.May2007 2:19:24 PM

mikemalter

Posts: 60
Joined: 9.Oct.2002
From: San Rafael, CA
Status: offline

Does anybody know what the practical limits are on the number of site-to-site connections ISA Server 2004 Standard Edition can support? We are managing windows servers running telephony services in remote locations throughout the US and we could possibly have as many as 40 servers out there. I am doing some advance planning right now, and would like to know how scaleable this site-to-site model is.

By the way, we are also supporting a number of VPN users and everything seems to be coexisting nicely.

Any thoughts would be appreciated.

Thanks.

_____________________________

Mike Malter
Mike Malter & Associates, Inc.

Post #: 1

Featured Links*

RE: Is there a practical limit on the number of site-to... - 12.Jun.2008 9:30:20 AM

linch_y

Posts: 4
Joined: 12.Jun.2008
Status: offline

I know its a bit late but... What happened with your research?

It looks like I am hitting such limit...

We have about 16 Active Site-To-Site VPNs (PPtP and IPSec)... After we added 2~3 additional VPNs the ISA server started applying the the configuration changes up to 40 Minutes... with 16 site VPNs it was about a few seconds...
Each new site VPN after the 16th was adding many minutes to teh changes applying...

So what happened with your research?

(in reply to mikemalter)

Post #: 2

RE: Is there a practical limit on the number of site-to... - 12.Jun.2008 9:45:19 AM

mikemalter

Posts: 60
Joined: 9.Oct.2002
From: San Rafael, CA
Status: offline

We had as many as 12 people with VPN connections along with 12 servers with persistent connections all going at the same time with no performance hits.

We are doing everything PPTP.

The ISA box has 4 gigs of ram, and only 128 megs allocated to SQL. Activity involves constant back and forth between VPN users, and every 15 minutes we have avout 2 minutes of intense activity from the servers.

In addition we have 18 web sites published and those guys are going most of the time, however they are being used by developers and management personnel. We use a completely different environment to support our production web sites.

I am no longer with the client that has this configuration, but I hear they will be adding an additional 20 servers over the next few months.

Hope this helps.

_____________________________

Mike Malter
Mike Malter & Associates, Inc.

(in reply to linch_y)

Post #: 3

RE: Is there a practical limit on the number of site-to... - 12.Jun.2008 10:12:31 AM

linch_y

Posts: 4
Joined: 12.Jun.2008
Status: offline

Our box is strong enough - P4 HT with 4GB RAM.. The CPU is around 20% most of the time...

but when there is a config change the progress bar passes for about a few seconds and then the CPU goes 80% for the next 40 minutes...
the CPu is being used by the LSSAS and the Netsh - rewriting all the rules from scratch (each time we hit apply)

If I try the new rule it does not work... until lets say 20 ~ 40 mnutes pass and the CPU goes back to normal...

In addition, when we see this... if we try to add additional PPTP site VPN - the RRAS does not receive the new adapter...

So I am investigating about how to reduce the number of the VPN connections on the server...

(in reply to mikemalter)

Post #: 4

RE: Is there a practical limit on the number of site-to... - 12.Jun.2008 10:22:24 AM

mikemalter

Posts: 60
Joined: 9.Oct.2002
From: San Rafael, CA
Status: offline

I get it now.

The time necessary to cycle through config changes is much longer than I have experienced. We have a lot of rules because of all of our published servers, services and web sites. Even with everyone VPNn'd in we never have more than a few seconds of recycle time after saving a configuration.

It seems to me that something else is going on.

_____________________________

Mike Malter
Mike Malter & Associates, Inc.

(in reply to linch_y)

Post #: 5

RE: Is there a practical limit on the number of site-to... - 13.Jun.2008 5:59:40 AM

linch_y

Posts: 4
Joined: 12.Jun.2008
Status: offline

I found an issue related to an event ID 21165 "Unable to create IPSec rules for...."... It was fixed by restarting the IPSec Service and subsiquent restart of the Firewall service...

However the issue with the long time passing (up to 40 minutes) for rules applying looks like related to the number of IPSec site-to-site tunnels...

I found an article from MS about the exact behaviour I am experiencing... but for ISA 2006 (http://support.microsoft.com/kb/934410) + a hotfix for this...

I am just wondering... Am I the first who payed attention on this issue with ISA 2004? Did MS test ISA 2004 for the issue they have on 2006? Or am I completely wrong???

(in reply to mikemalter)

Post #: 6

RE: Is there a practical limit on the number of site-to... - 14.Jun.2008 9:13:52 AM

mikemalter

Posts: 60
Joined: 9.Oct.2002
From: San Rafael, CA
Status: offline

I am not doing anything with IPSEC, so I am out of my depth here.

Regarding Site to Site connections between ISA and ISA, and ISA and RRAS, I posted several messages here, and got no replies so I don't know how many people are into this. I interpreted my lack of replies as not much.

Can you upgrade to ISA2006?

_____________________________

Mike Malter
Mike Malter & Associates, Inc.

(in reply to linch_y)

Post #: 7

RE: Is there a practical limit on the number of site-to... - 30.Jun.2008 10:51:31 AM

linch_y

Posts: 4
Joined: 12.Jun.2008
Status: offline

I opened a case with the MS support...

They said this is the situation.. You will have to upgrade to ISA 2006 and apply the hotfix in order to have it working...

The interesting part is that they do not offer the upgrade for free (even the license cannot be upgraded)...
So we will have to buy the newer ISA 2006 to have the broken issue working...

Veeery disapointing...

(in reply to mikemalter)

Post #: 8