Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
882
Views
0
Helpful
3
Replies

PIX 515 to PIX 515 VPN performance problem

edavies
Level 1
Level 1

‎11-14-2002 07:45 PM - edited ‎02-20-2020 10:22 PM

We have a site to site vpn running an ipsec tunnel with 3des encryption and a 155Mbps ATM link between the two (bridged with 3620 routers). The throughput and response times between the two sites is less than expected with intermittant periods of delay often experienced. We are using the PIX VPN accelerator cards in both PIX's. Both the PIX and 3620 routers do not appear to be over utilised from cpu and memory utilisation stats but i suspect the accelerator cards are struggling at periods of time. All data is encrypted based on a crypto map defind on the PIX's. Is it possible to only encrypt particular types of traffic and pass some traffic unencrypted and/or can anyone suggest a method of logging traffic through the bridged routers (all traffic currently encrypted) or PIX to gauge throughput and monitor the performance of the accelerator card to see if it is struggling with the data. Any other thoughts on how to monitor/proceed would be appreciated.

0 Helpful
3 Replies 3

gfullage
Cisco Employee
Cisco Employee

‎11-18-2002 09:55 PM

The traffic that is encrypted is dependent on the crypto ACL. I presume from your description you have that set to "permit ip any any", which is probably not the best solution. You can change this ACL to include whatever traffic you like, although stay away from defining down to the port level (eg, permit ftp, permit telnet, that type of thing).

Just make sure that whatever you define in the ACL on one PIX, that you have the exact opposite in the crypto ACL on the other PIX.

You don't mention what type of PIX's these are, but if you're pushing anywhere near 155Mbps of encrypted traffic through any type (even the 535 with a VAC) you're going to run into issues. The 535 is only rated to do 100Mbps of 3DES throughput with a VAC installed (see http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/vac_ds.htm), so if you have anything less than that you may well be oversubscribing the box.

0 Helpful

edavies
Level 1
Level 1
In response to gfullage

‎11-20-2002 06:16 PM

Thanks for that,

We are using PIX 515's and they may be oversubscibed but from some basic logging I have been able to do it only looks like we are getting about 25-30 Mbps max and averaging around 8Mbps (1MB). At the same time users are constantly compaining of poor performance. I'm going to try and modify the crypto commands and see how we go.

thanks

Evan

0 Helpful

c.goona
Level 1
Level 1
In response to edavies

‎04-02-2004 06:11 AM

Hi Evan

Dont forget to check out the MTU size

colin

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card