Knowledge Search


[Archive] VPN: Counting IPSec VPN Tunnel on ScreenOS 5.x

  [KB7114] Show Article Properties

VPN: Counting IPSec VPN Tunnel on ScreenOS 5.x
Symptoms & Errors:
  • Need to determine the allowable VPN tunnel on NetScreen Device

To determined the allowable IPSec vpn tunnels on ScreenOS 5.0, follow these steps:

1. Use the "get license" command to determine the number of VPN tunnels allowed:

On CLI, type "get license-key", look for "VPN tunnels", there are 4 possible outputs:

  • A single number is listed: it is the limit for all kinds of ipsec vpn; for example: 10 tunnels (as shown on the Screenshot below)
  • Two numbers are show: one is limit for site-to-site vpn, another one for extra dialup-group vpn
  • None, no vpn is allowed (for firewall only products)
  • unlimited, vpn only subject to platform limitation
Sample "get license' output:

2. The number of site-to-site, dynamic-peer, manual-key and dialup-user vpn is allowed is determined by:

  • Use quota of the site-to-site vpn.
  • Only vpn tunnel configuration is counted (not policy or tunnel interface), and it is counted even if not used by policy or bound to tunnel interface. Use the CLI command to create VPN tunnel:
    "set vpn gateway .. "
  • Number of vpn polices subject to platform limitation

3. To determine how many dialup-group vpn are allowed: 

  • Use the "extra dialup-group vpn" quota first;
  • If no more "extra dialup-group vpn" quota available, use the "site-to-site vpn"  quota


  • VPN tunnel configuration is not counted
  • Only user connection is counted
  • Each user "sa" count as one vpn tunnel.

Related Links: