VPN Tunnel Capacity and Licensing
The maximum number of active VPN tunnels your Firebox supports depends on the values in your Firebox feature key. The maximum number of supported tunnels is different for each Firebox model.
Find Your Firebox Tunnel Capacity
- Select System > Feature Key.
The Feature Key page appears. - In the Feature column, find the VPN features.
- For each VPN feature, the associated Value tells you the maximum number of active tunnels.
To see the maximum number of VPN tunnels your Firebox supports, from Policy Manager:
- Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
- In the Feature column, find the VPN features.
- For each feature, the associated Value shows the maximum number of active tunnels.
In the feature key, these features identify the licensed VPN limits:
- Branch Office VPN Tunnels — The maximum number of active branch office VPN tunnel routes and BOVPN virtual interfaces.
- L2TP Users — The maximum number of active Mobile VPN with L2TP user connections.
- IPSec VPN Users — The maximum number of active Mobile VPN with IPSec and Mobile VPN with IKEv2 user connections.
- SSL VPN Users — The maximum number of active Mobile VPN with SSL, BOVPN over TLS, and Management Tunnel over SSL user connections.
VPN License Enforcement
The maximums in the feature key limit the number of each type of VPN tunnel that can be active at the same time. The feature key does not limit the size of the mobile VPN virtual IP address pools or the number of tunnel routes you can configure for branch office VPNs.
VPN License Warnings
These warning messages appear in the Firebox System Manager Front Panel tab, and on the System Status page if VPN license limits are exceeded for your Firebox:
The maximum allowed number of active BOVPN tunnels has been reached (Maximum: nn) — Appears if the number of branch office VPN tunnels reaches the license limit for your device
The maximum allowed number of active MUVPN user connections has been reached (Maximum: nn) — Appears if any of these conditions are true:
- The number of users for Mobile VPN with IPSec, Mobile VPN with IKEv2, Mobile VPN with L2TP, Mobile VPN with SSL, BOVPN over TLS, or Management Tunnel over SSL users reaches the license limit for your device.
- The combined number of Mobile VPN with IPSec users and Mobile VPN with IKEv2 users reaches the license limit for your device.
- The combined number of Mobile VPN with SSL, BOVPN over TLS, and Management Tunnel over SSL users reaches the license limit for your device.
Mobile VPN Virtual IP Address Pools
If you configure a mobile VPN IP address pool with a higher number of IP addresses than the maximum number in the feature key, you see a warning that the number of IP addresses in the virtual address pool is higher than the maximum number of users in the feature key. You can still save the configuration, but the address pool contains some IP addresses that will never be used.
The maximum number of concurrent active VPN connections is based on the value in the feature key, not on the number of IP addresses in the virtual IP address pool.
For example, if your Firebox feature key allows a maximum of 55 Mobile VPN with L2TP connections, and you configure the Mobile VPN with L2TP virtual IP address pool with 100 IP addresses, only 55 Mobile VPN with L2TP connections can be active at the same time.
About Branch Office VPN Tunnel Routes
For license enforcement, an active BOVPN virtual interface counts as a single tunnel route, even if multiple VPN routes are configured to use it. For a branch office VPN that is not configured as a BOVPN virtual interface, each active VPN tunnel route counts as a tunnel route in use.
The feature key does not limit the number of tunnel routes you can configure, but it does limit the number of tunnel routes that can be active at the same time.
For example, if your Firebox feature key allows a maximum of 50 tunnels, and you configure a total of 60 tunnel routes, only 50 of the branch office VPN tunnel routes can be active at the same time.