SSL-VPN Bandwidth calculation for WAN link

Unanswered Question
May 28th, 2010
User Badges:
  • Cisco Employee,

/* Style Definitions */ table.MsoNormalTable {mso-style-name:"Table Normal"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:""; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin:0in; mso-para-margin-bottom:.0001pt; mso-pagination:widow-orphan; font-size:11.0pt; font-family:"Calibri","sans-serif"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:"Times New Roman"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin; mso-bidi-font-family:"Times New Roman"; mso-bidi-theme-font:minor-bidi;}

I am trying to find out the bandwidth of the WAN link required at a datacenter WAN gateway where PCs at 60 remote sites establish SSL-VPN tunnel to this gateway. Each user will have 512kbps bandwidth to the internet.

Assuming, all the 60 sites will be accessing datacenter at once, if ‘x’ bandwidth is reserved at the WAN gateway (including all sites considering application requirement), what is the extra bandwidth to be provisioned to deploy SSL-VPN?

Any leads is much appreciated..

Thanks in advance,


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Calin Chiorean Wed, 06/02/2010 - 03:53
User Badges:
  • Silver, 250 points or more

I see it like this 60 client x 512kbps / client is aprox 30Mbits. If you are using Qos to guarantee 512kbps / client, you might think to include in this 512kbps also the extra overhead generated by the VPN encapsulation.

Did this answer your question, or I understood it wrong?


manmp Wed, 06/02/2010 - 03:59
User Badges:
  • Cisco Employee,

Thanks for the Reply Calin.

Actually, the application we will be running is a video+data application out of which, 384kbps is video and 64kbps is data. So i did some calculations and got around 64kbps SSL VPN overhead for that traffic. And hence assumed 512kbps/ client is sufficient. At the hub end, thought of giving some buffer along with 60 * 512kbps.

I read somewhere that, SSL VPN header size is around 25bytes/packet. So with some assumptions came to 64kbps overhead for SSLVPN. Any ideas on that?

Calin Chiorean Wed, 06/02/2010 - 04:24
User Badges:
  • Silver, 250 points or more

From what I've read the overhead of IPSec on a packet is between 50  and 57 octets (including the new IP header, the ESP header and the  trailers), representing a 10% increase on an average packet (500 byte).  In contrast to this, SSL VPNs add only 5 octets of data to each packet,  just a 1% increase on the average packet. Of course, setup operations  cannot be ignored totally, but these are roughly similar in size for  IPSec and SSL connections. Also, because SSL VPNs work at a much higher  layer, they suffer much less from the packet fragmentation issues  normally associated with IPSec VPNs. Finally, SSL has built in  compression mechanisms (with AIM-VPN modules).

Overall, I think that if you have 512kbps / user you're on the safe side. This is my opinion.



If this advice is useful please rate!

manmp Wed, 06/02/2010 - 10:17
User Badges:
  • Cisco Employee,

Thanks Calin, it was very useful...



This Discussion