Knowledge Search


[ScreenOS] How to calculate the number of VPN tunnels that are created on the firewall for a policy based VPN?

  [KB26724] Show Article Properties


This article provides information on how to calculate the number of VPN tunnels that are created on a firewall for a policy based VPN.


Is there a way to calculate number of VPN tunnels policy based VPN/VPNs have created on ScreenOS box?


In a policy based VPN, each policy will create a different tunnel. If a VPN is referred in two policies, then two tunnels will be created.

The same logic is applicable for VPN groups. Refer to the following information:

  • When a VPN group is bound to a policy, the firewall will create the number of tunnels that are equal to the number of VPNs being bound to the group.

  • If four VPNs are bound to the VPN group, then every policy will lead to four VPN tunnels being created.

  • For a total of ten policies from trust to untrust, each having a VPN group bound to it, 40 VPN tunnels will be created.

Note: When using policy based VPNs, it is possible that the soft limit for the VPN can be reached and no more policies are allowed to be configured.

The following error message is generated in the output of get log sys:

fail to update ike p2 id
## 2012-11-18 04:07:21 : fpl_build_policy : swrs_policy2rule failed

In such a situation a route based VPN can be used.

Modification History:
2019-09-27: Minor, non-technical edits.
Related Links: