08-29-2007 03:04 AM - edited 02-21-2020 03:14 PM
Hi All,
I have numerous remote sites using either PIX506 or ASA5505's connected back into a pair of ASA5520's over DSL connections.
Users at the remote locations are starting to complain about poor network access speeds. Compression is not currently in operation and I'm wondering if enabling it would make any performance benefits ??
Can anyone share their own experiences of enabling compression ? - does it work and if so did you see any noticable performance increase ?
Thanks in advance.
Stu
08-29-2007 11:17 AM
It is not racommanded Once traffic ENCRYPTED and compress or compress and encrypt.
In encryption traffic already be compact.
Regards,
Dharmesh Purohit
08-30-2007 06:54 AM
Compressing the data can make sense especially with low speed links. As the previous posted said, make sure that it is compressing before encryption. Look at the documentation for the hardware that you have to see if the compression is done in hardware or in software. I would probably recommend doing it if supported in hardware at both ends of the link, but would only enable it in software if the link is really very slow or the bandwidth expensive such as dialup/satellite/GPRS/3G
08-30-2007 07:14 AM
Hi All,
Many thanks for the replies. I'll take a look into exactly 'when' the compression occurs and give it a go on test bench first to see what effect it has.
Any ideas how I can guage if performance is any better - other than the good old stopwatch :)
Thanks,
Stuart
08-30-2007 07:17 AM
you should be able to get the compression ratio out of the crypto engine on ios with :
show crypto engine accelerator statistic
08-30-2007 07:35 AM
I've never had to use that command before and the reults are quite big from an ASA5510 currently running WITHOUT compression enabled ... eaxctly which stat am I looking at ?
#sh cry acc st
Crypto Accelerator Status
-------------------------
[Capability]
Supports hardware crypto: True
Supports modular hardware crypto: False
Max accelerators: 1
Max crypto throughput: 50 Mbps
Max crypto connections: 250
[Global Statistics]
Number of active accelerators: 1
Number of non-operational accelerators: 0
Input packets: 33086112
Input bytes: 3153117024
Output packets: 31396121
Output error packets: 0
Output bytes: 2819727252
[Accelerator 0]
Status: OK
Software crypto engine
Slot: 0
Active time: 1754805 seconds
Total crypto transforms: 15048
Total dropped packets: 0
[Input statistics]
Input packets: 0
Input bytes: 23312
Input hashed packets: 0
Input hashed bytes: 0
Decrypted packets: 0
Decrypted bytes: 23440
[Output statistics]
Output packets: 0
Output bad packets: 0
Output bytes: 146328
Output hashed packets: 0
Output hashed bytes: 0
Encrypted packets: 0
Encrypted bytes: 146856
[Diffie-Hellman statistics]
Keys generated: 0
Secret keys derived: 0
[RSA statistics]
Keys generated: 21
Signatures: 20
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[DSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
[SSL statistics]
Outbound records: 0
Inbound records: 0
[RNG statistics]
Random number requests: 98
Random number request failures: 0
[Accelerator 1]
Status: OK
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CNlite-MC-Boot-Cisco-1.2
SSL/IKE microcode: CNlite-MC-IPSEC-Admin-3.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
Slot: 1
Active time: 1754849 seconds
Total crypto transforms: 64746707
Total dropped packets: 0
[Input statistics]
Input packets: 33086778
Input bytes: 3153461496
Input hashed packets: 33086798
Input hashed bytes: 2464361879
Decrypted packets: 33086903
Decrypted bytes: 1673649020
[Output statistics]
Output packets: 31396955
Output bad packets: 0
Output bytes: 2819816588
Output hashed packets: 31395860
Output hashed bytes: 1811573472
Encrypted packets: 31396991
Encrypted bytes: 1061657476
[Diffie-Hellman statistics]
Keys generated: 143
Secret keys derived: 46
[RSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
Encrypted packets: 0
Encrypted bytes: 0
Decrypted packets: 0
Decrypted bytes: 0
[DSA statistics]
Keys generated: 0
Signatures: 0
Verifications: 0
[SSL statistics]
Outbound records: 1100
Inbound records: 40
[RNG statistics]
Random number requests: 512
Random number request failures: 0
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: