Site to Site VPN with PIX515E

Unanswered Question
Jun 26th, 2007

I have a site to site VPN with PIX515E's as the termination point for each side. I am using DES encryption. There is a DS3 going into each site. I have lowered the MTU setting on both firewalls so that fragmentation didn't occur. All hardware is configured properly. I am able to push data (using a network tool) to fill half the pipe with no performance issues. All of these, yet our speed in between the two sites does not correlate with DS3's at each end, even accounting for encryption overhead. Shouldn't we have that speed available to us? Can anyone help? Thanks much.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)

The mtu command specifies tha largest packet that is allowed through an interface. By default the mtu on an ethernet inetrface is 1500 and it is also the maximum on the interface. You will not need to alter the MTU on the pix to improve the performance

instead the sysopt command will come into play annd send the mss to the initiator.

A further description is described as follows:

The command is used to prevent packets from being fragmented by the PIX. The MSS is the maximum size of packet that the sender can send to the receiver such that when the receiver receives the packet it can forward it on (after adding any necessary extra headers - like IPSec, GRE, etc) without having to fragment the packet. So, the MSS should

equal the MTU minus any necessary headers required to append to the packet before sending

it out the interface.

The MSS is sent to the initiater during the setup of the 3-way handshake.

So, if the payload exceeds the MSS, the PIX will most likely end up fragmenting the packet

(if the headers added to the packet end up exceeding the MTU of the outgoing interface).

More info can be found in the command ref for the pix under sysopt, and also RFC 879.

As decribed above the sysopt command should be set to the MTU minus the headers such for e.g. here is the how many

bytes specific protcol add to a payload:

1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes

In other words you will not need to change the MTUto increase performance but mabye you can adjust the sysopt command to increase the perfromance.

Try this cmd "ip tcp adjust-mss 1300"

bryonschultz Thu, 07/05/2007 - 15:54

I apologize for the confusion...I did use the systop tcpmss command to change the packet size, but DID NOT modify the MTU command. Does that make sense?


This Discussion