cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
629
Views
7
Helpful
5
Replies

VPN Compression - Woth Doing ?

stuart.baker
Level 1
Level 1

Hi All,

I have numerous remote sites using either PIX506 or ASA5505's connected back into a pair of ASA5520's over DSL connections.

Users at the remote locations are starting to complain about poor network access speeds. Compression is not currently in operation and I'm wondering if enabling it would make any performance benefits ??

Can anyone share their own experiences of enabling compression ? - does it work and if so did you see any noticable performance increase ?

Thanks in advance.

Stu

5 Replies 5

purohit_810
Level 5
Level 5

It is not racommanded Once traffic ENCRYPTED and compress or compress and encrypt.

In encryption traffic already be compact.

Regards,

Dharmesh Purohit

alistaircowan
Level 1
Level 1

Compressing the data can make sense especially with low speed links. As the previous posted said, make sure that it is compressing before encryption. Look at the documentation for the hardware that you have to see if the compression is done in hardware or in software. I would probably recommend doing it if supported in hardware at both ends of the link, but would only enable it in software if the link is really very slow or the bandwidth expensive such as dialup/satellite/GPRS/3G

Hi All,

Many thanks for the replies. I'll take a look into exactly 'when' the compression occurs and give it a go on test bench first to see what effect it has.

Any ideas how I can guage if performance is any better - other than the good old stopwatch :)

Thanks,

Stuart

you should be able to get the compression ratio out of the crypto engine on ios with :

show crypto engine accelerator statistic

I've never had to use that command before and the reults are quite big from an ASA5510 currently running WITHOUT compression enabled ... eaxctly which stat am I looking at ?

#sh cry acc st

Crypto Accelerator Status

-------------------------

[Capability]

Supports hardware crypto: True

Supports modular hardware crypto: False

Max accelerators: 1

Max crypto throughput: 50 Mbps

Max crypto connections: 250

[Global Statistics]

Number of active accelerators: 1

Number of non-operational accelerators: 0

Input packets: 33086112

Input bytes: 3153117024

Output packets: 31396121

Output error packets: 0

Output bytes: 2819727252

[Accelerator 0]

Status: OK

Software crypto engine

Slot: 0

Active time: 1754805 seconds

Total crypto transforms: 15048

Total dropped packets: 0

[Input statistics]

Input packets: 0

Input bytes: 23312

Input hashed packets: 0

Input hashed bytes: 0

Decrypted packets: 0

Decrypted bytes: 23440

[Output statistics]

Output packets: 0

Output bad packets: 0

Output bytes: 146328

Output hashed packets: 0

Output hashed bytes: 0

Encrypted packets: 0

Encrypted bytes: 146856

[Diffie-Hellman statistics]

Keys generated: 0

Secret keys derived: 0

[RSA statistics]

Keys generated: 21

Signatures: 20

Verifications: 0

Encrypted packets: 0

Encrypted bytes: 0

Decrypted packets: 0

Decrypted bytes: 0

[DSA statistics]

Keys generated: 0

Signatures: 0

Verifications: 0

[SSL statistics]

Outbound records: 0

Inbound records: 0

[RNG statistics]

Random number requests: 98

Random number request failures: 0

[Accelerator 1]

Status: OK

Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)

Boot microcode : CNlite-MC-Boot-Cisco-1.2

SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04

Slot: 1

Active time: 1754849 seconds

Total crypto transforms: 64746707

Total dropped packets: 0

[Input statistics]

Input packets: 33086778

Input bytes: 3153461496

Input hashed packets: 33086798

Input hashed bytes: 2464361879

Decrypted packets: 33086903

Decrypted bytes: 1673649020

[Output statistics]

Output packets: 31396955

Output bad packets: 0

Output bytes: 2819816588

Output hashed packets: 31395860

Output hashed bytes: 1811573472

Encrypted packets: 31396991

Encrypted bytes: 1061657476

[Diffie-Hellman statistics]

Keys generated: 143

Secret keys derived: 46

[RSA statistics]

Keys generated: 0

Signatures: 0

Verifications: 0

Encrypted packets: 0

Encrypted bytes: 0

Decrypted packets: 0

Decrypted bytes: 0

[DSA statistics]

Keys generated: 0

Signatures: 0

Verifications: 0

[SSL statistics]

Outbound records: 1100

Inbound records: 40

[RNG statistics]

Random number requests: 512

Random number request failures: 0

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: