Mar 26, 2014

Site-to-Site VPN in multiple context mode (ASA 9.x)

Before configuring a Site-to-Site VPN in a multiple context mode ASA, you must assign VPN resources to the context. By default, no VPN site-to-site tunnels are allowed and you must manually configure a resource class to allow any VPN sessions, otherwise you will see the message "Tunnel Rejected: The maximum tunnel count allowed has been reached" in IKE debug outputs.

ASA 5550 with base license supports 5000 VPN sessions.

You have two contexts and want to share VPN resources assigning 2000 sessions to each context:

asa/admin(config)# changeto system
asa(config)# class vpn-2000
asa(config-class)# limit-resource vpn other 2000
asa(config-class)# limit-resource vpn burst other 1000
asa(config-class)# exit
asa(config)# context context-a
asa(config-ctx)# member vpn-2000
asa(config)# context context-b
asa(config-ctx)# member vpn-2000

vpn burst other is the number of VPN sessions allowed beyond the amount assigned to a context with vpn other. Unlike vpn other, which guarantees the sessions to the context, vpn burst other can be oversubscribed; the burst pool is available to all contexts on a first-come, first-served basis.


  1. Thanks so much for the assitance, it was a major help! I configured the PIX with the commands. Additionally, I had to configure the tunnel-group on the ASA as well:

    tunnel-group type ipsec

    Everything is working.
    Now i`m successfully running iron socket vpn on my cisco router.

  2. Thanks for beautiful explanation!!!!
    Is there any limitation of configuring no. Of VPNs in one context. VPN session does refer no. of VPN connection or configuration.

    1. It limits the number of VPN connections. You can have any number of configured tunnels, but established ones are limited by resource class config.

  3. Awesome, keep doing the same good work.