We have Pix 535 Firewall with licenced Failover .We want to introduce one additional gigaport for our client requirement,we had already used 3 gigibyte port and we can make the provision by replacing the VAC+ card.
so want to know what impact it will hav on VPN ,we have configured remote access VPN around 20 tunnel group but the continues use of vpn is only done by one group.
Wheter replacing the VAC+ card hamper the VPN connection and can we go with the replacement .
Kusankar, i dont want to create subinterface as my requiement is to create a new DMZ whose traffic should be on gig interface and i had extra GIG cards ,so installing gigport card on the slot where vac + card is installed can achive my requirement
So only thing iam not sure about the impact on vpn connection.
so i want to know Wheter replacing the VAC+ card hamper the VPN connection and can we go with the replacement
Well the answer is it depends.
How much CPU is being used currently on the firewall ? - If it is low then yes you could probably remove the VAC+ card and still be able to run your VPN connections but obviously you are now asking the main CPU of the firewall to do more work.
How much VPN traffic is there going through the firewall ? - again if relatively low you should be fine without the VAC+ card but if you have high volumes of VPN traffic then this can severely impact the main CPU.
It is one of those questions that is difficult to answer because it is unclear what the current state is. I have run 20+ site-to-site VPNs on a Pix 515E with no VAC card and it has run fine but then that pix was really only being used to terminate VPNs. What can be said for sure is that offloading VPN encryption to the VAC+ card takes load off the main CPU. Removing the VAC+ card will put that load back. So as i said you need to base the decision on current CPU usage and VPN throughput requirements.
If you do not need full gigabit throughput for this DMZ or one of your others i would be tempted to do what Kusankar suggested though and think of using subinterfaces. What you can do is remove the VAC+ card and if you find CPU too high then you have the subinterface solution as a backup.
Cisco are currently donating money to the Haiti earthquake appeal for every rating so please consider rating all helpful posts.