I have a site to site VPN with PIX515E's as the termination point for each side. I am using DES encryption. There is a DS3 going into each site. I have lowered the MTU setting on both firewalls so that fragmentation didn't occur. All hardware is configured properly. I am able to push data (using a network tool) to fill half the pipe with no performance issues. All of these, yet our speed in between the two sites does not correlate with DS3's at each end, even accounting for encryption overhead. Shouldn't we have that speed available to us? Can anyone help? Thanks much.
The mtu command specifies tha largest packet that is allowed through an interface. By default the mtu on an ethernet inetrface is 1500 and it is also the maximum on the interface. You will not need to alter the MTU on the pix to improve the performance
instead the sysopt command will come into play annd send the mss to the initiator.
A further description is described as follows:
The command is used to prevent packets from being fragmented by the PIX. The MSS is the maximum size of packet that the sender can send to the receiver such that when the receiver receives the packet it can forward it on (after adding any necessary extra headers - like IPSec, GRE, etc) without having to fragment the packet. So, the MSS should
equal the MTU minus any necessary headers required to append to the packet before sending
it out the interface.
The MSS is sent to the initiater during the setup of the 3-way handshake.
So, if the payload exceeds the MSS, the PIX will most likely end up fragmenting the packet
(if the headers added to the packet end up exceeding the MTU of the outgoing interface).
More info can be found in the command ref for the pix under sysopt, and also RFC 879.
As decribed above the sysopt command should be set to the MTU minus the headers such for e.g. here is the how many
bytes specific protcol add to a payload:
1380 data + 20 TCP + 20 IP + 24 AH + 24 ESP_CIPHER + 12 ESP_AUTH + 20 IP = 1500 bytes
In other words you will not need to change the MTUto increase performance but mabye you can adjust the sysopt command to increase the perfromance.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...