We have a site to site vpn running an ipsec tunnel with 3des encryption and a 155Mbps ATM link between the two (bridged with 3620 routers). The throughput and response times between the two sites is less than expected with intermittant periods of delay often experienced. We are using the PIX VPN accelerator cards in both PIX's. Both the PIX and 3620 routers do not appear to be over utilised from cpu and memory utilisation stats but i suspect the accelerator cards are struggling at periods of time. All data is encrypted based on a crypto map defind on the PIX's. Is it possible to only encrypt particular types of traffic and pass some traffic unencrypted and/or can anyone suggest a method of logging traffic through the bridged routers (all traffic currently encrypted) or PIX to gauge throughput and monitor the performance of the accelerator card to see if it is struggling with the data. Any other thoughts on how to monitor/proceed would be appreciated.
The traffic that is encrypted is dependent on the crypto ACL. I presume from your description you have that set to "permit ip any any", which is probably not the best solution. You can change this ACL to include whatever traffic you like, although stay away from defining down to the port level (eg, permit ftp, permit telnet, that type of thing).
Just make sure that whatever you define in the ACL on one PIX, that you have the exact opposite in the crypto ACL on the other PIX.
You don't mention what type of PIX's these are, but if you're pushing anywhere near 155Mbps of encrypted traffic through any type (even the 535 with a VAC) you're going to run into issues. The 535 is only rated to do 100Mbps of 3DES throughput with a VAC installed (see http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/vac_ds.htm), so if you have anything less than that you may well be oversubscribing the box.
We are using PIX 515's and they may be oversubscibed but from some basic logging I have been able to do it only looks like we are getting about 25-30 Mbps max and averaging around 8Mbps (1MB). At the same time users are constantly compaining of poor performance. I'm going to try and modify the crypto commands and see how we go.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :