Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
596
Views
0
Helpful
3
Replies

VPN performance issues

tato386
Level 6
Level 6

‎12-19-2002 07:07 AM - edited ‎02-21-2020 12:14 PM

I have setup a VPN network using 1700 series routers with VPN accel cards for remote branches and a PIX515e (also with VPN accel) at corporate. The network at this moment consists of two remotes each using a full T1 and corporate has 3 full, BGP load balanced T1s. We wish to route the branch office Internet traffic thru corporate so that we can control user Web access. Due to security limitations of the PIX we have implemented GRE tunnels that originate at the branch router and terminate on a 1700 located behind the PIX. The GRE traffic/tunnel is originated and IPSec encryted at the outside interface of the branch router, is unencrypted at the outside interface of the PIX and terminates at the 1700 inside router. From there it is routed to other subnets or sent back out the PIX if it is Internet bound.

We will add more remote branches soon but it seems like performance problems are popping up already. This setup is an upgrade from a DSL/Red Creek VPN network. To our surprise, performance of the new T1/Cisco sites is at best, equal to the old setup. Sometimes it even seems slower!!

What can I do to begin to troubleshoot this? Any and all suggestions would be greatly appreciated.

Thanks,

Diego

Labels:
0 Helpful
3 Replies 3

jfrahim
Level 5
Level 5

‎12-19-2002 10:23 AM

Diego,

I am not sure how you are testing this setup with the old setup. Did your old setup had GRE/IPSec tunnels as well getting terminated in the same manner?

Using the GRE/IPSec in your topology, you will be sending the traffic over the internet twive, once it was encrypted from the remote router to the hub router, and then back out to the Internet through the pix firewall in cleartext ( if you are doing internet browsing ).

Plus if your old setup didn't have ipsec over gre configured, then using ipsec/gre in this current topology will add more packet overhead on the packets, ( and you might be running into some fragmentation issues as well ).

Check and see if you are running into any sort of high CPU utilization. I think a better option to do these testing is to just do GRE tunnel first and get the base number, and then add ipsec on top, and then compare the performance

Jazib

0 Helpful

tato386
Level 6
Level 6
In response to jfrahim

‎12-19-2002 12:01 PM

I can certainly test without IPSec. That is easy to do. As far as fragmentation, how can I check for that? There are a lot of nodes involved here. You have the branch router, the corporate Internet router, the PIX and then the corporate internal router. Where would fragmentation be most likely?

Also, the ISP made us configure the serial interfaces on the branch routers for PPP. How much difference is there between that and HDLC or frame-relay encapsulation?

Thanks,

Diego

0 Helpful

jfrahim
Level 5
Level 5
In response to tato386

‎12-23-2002 11:06 AM

Hi Diego,

you are likely to run into fragmentation issues on the remote side ( termination of gre/ipsec ) and on the pix side ( termination of the ipsec tunnel). You might see fragmentation on the hub router 9 termination of the other GRE end).

Fragmenation issues are hard to troubleshoot.. But one of the symptoms is, getting slow access to the web-sites, incomplete web-pages, not being able to download mails with attachments etc

Jazib

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents