Impact of Replacing VAC + card in pix 535

Answered Question
Mar 28th, 2010

We have Pix 535 Firewall with licenced Failover .We want to introduce one additional gigaport for our client requirement,we had already used 3 gigibyte port and we can make the provision by replacing the VAC+ card.

so want to know what impact it will hav on VPN ,we have configured  remote access VPN around 20 tunnel group but the continues use of vpn is only done by one group.

Wheter replacing the VAC+ card hamper the VPN connection and can we go with the replacement .

I have this problem too.
0 votes
Correct Answer by Jon Marshall about 6 years 10 months ago

rajsh.sharma wrote:

Kusankar, i dont want to create subinterface as my requiement is to create a new DMZ whose traffic should be on gig interface and i had extra GIG cards ,so installing  gigport card on the slot where vac + card is installed can achive my requirement

So only thing iam not sure about the impact on vpn connection.

so i want to know  Wheter replacing the VAC+ card hamper the VPN connection and can we go  with the replacement

Well the answer is it depends.

How much CPU is being used currently on the firewall ?  -  If it is low then yes you could probably remove the VAC+ card and still be able to run your VPN connections but obviously you are now asking the main CPU of the firewall to do more work.

How much VPN traffic is there going through the firewall ? - again if relatively low you should be fine without the VAC+ card but if you have high volumes of VPN traffic then this can severely impact the main CPU.

It is one of those questions that is difficult to answer because it is unclear what the current state is. I have run 20+ site-to-site VPNs on a Pix 515E with no VAC card and it has run fine but then that pix was really only being used to terminate VPNs. What can be said for sure is that offloading VPN encryption to the VAC+ card takes load off the main CPU. Removing the VAC+ card will put that load back. So as i said you need to base the decision on current CPU usage and VPN throughput requirements.

If you do not need full gigabit throughput for this DMZ or one of your others i would be tempted to do what Kusankar suggested though and think of using subinterfaces. What you can do is remove the VAC+ card and if you find CPU too high then you have the subinterface solution as a backup.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Kureli Sankar Sun, 03/28/2010 - 04:04

I would use sub-inteface on the existing gig ports and leave the VAC+ card in there.

-KS

rajsh.sharma Sun, 03/28/2010 - 04:46

Kusankar, i dont want to create subinterface as my requiement is to create a new DMZ whose traffic should be on gig interface and i had extra GIG cards ,so installing  gigport card on the slot where vac + card is installed can achive my requirement

So only thing iam not sure about the impact on vpn connection.

so i want to know  Wheter replacing the VAC+ card hamper the VPN connection and can we go  with the replacement

Correct Answer
Jon Marshall Sun, 03/28/2010 - 05:42

rajsh.sharma wrote:

Kusankar, i dont want to create subinterface as my requiement is to create a new DMZ whose traffic should be on gig interface and i had extra GIG cards ,so installing  gigport card on the slot where vac + card is installed can achive my requirement

So only thing iam not sure about the impact on vpn connection.

so i want to know  Wheter replacing the VAC+ card hamper the VPN connection and can we go  with the replacement

Well the answer is it depends.

How much CPU is being used currently on the firewall ?  -  If it is low then yes you could probably remove the VAC+ card and still be able to run your VPN connections but obviously you are now asking the main CPU of the firewall to do more work.

How much VPN traffic is there going through the firewall ? - again if relatively low you should be fine without the VAC+ card but if you have high volumes of VPN traffic then this can severely impact the main CPU.

It is one of those questions that is difficult to answer because it is unclear what the current state is. I have run 20+ site-to-site VPNs on a Pix 515E with no VAC card and it has run fine but then that pix was really only being used to terminate VPNs. What can be said for sure is that offloading VPN encryption to the VAC+ card takes load off the main CPU. Removing the VAC+ card will put that load back. So as i said you need to base the decision on current CPU usage and VPN throughput requirements.

If you do not need full gigabit throughput for this DMZ or one of your others i would be tempted to do what Kusankar suggested though and think of using subinterfaces. What you can do is remove the VAC+ card and if you find CPU too high then you have the subinterface solution as a backup.

Jon


Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.

rajsh.sharma Sun, 03/28/2010 - 07:44

Thanks jon ,

Currently cpu utilisation is around 30 % max and had just a query how to find How much actual VPN traffic is there going through the firewall

Actions

This Discussion