Performance issue between PIX 501 and FW-1

thult · ‎01-13-2003

A customer has setup a VPN between a PIX 501 (6.2(2)) and a FW1NG FP3.

They are using 3DES, SHA, DH Group 2.

When they test the performance the throughput is only about 500Kbps. If they connect using the FW1 SecuRemote klient instead they got a throughput of about 5Mbps.

Does anyone recognize this and know how to boost the PIX-performance ?

smalkeric · ‎01-17-2003

Normally the easiest solution is to use the VAC. However the PIX VAC is supported on PIX 515, 520, 525, and 535 platforms only. The only option that leaves us is to be selective about the traffic that is encrypted instead of encrypting all the traffic that goes through. This will definately improve throughput.

thult · ‎01-17-2003

Thanks for your reply.

Well, i´m gettin quite worried here. I have a lot of customers running PIX 501 and most of them have some sort of performance problems.

Most of my customers have problems with Citrix .ICA traffic that gets disconnected randomly. (different customers, different internet-accesses)

I have search the bug toolkit and have found a lot of bugs with ISAKMP, some regarding Citrix. They state that you should lower the MTU to 1400 or less.....

Why not tell us what the working MTU should be ! Could this setting resolve most issues with Citrix disconnects ?

..or is the Cisco PIX 501 a low cost product like the Cisco 700 series router...?

I dont know if Cisco does really care about this low cost products, but I have had to watch competitors replace a 501 with their firewall and (in one case a product called Q100) it worked just fine with the same settings...