Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

PIX 515 to PIX 515 VPN performance problem

We have a site to site vpn running an ipsec tunnel with 3des encryption and a 155Mbps ATM link between the two (bridged with 3620 routers). The throughput and response times between the two sites is less than expected with intermittant periods of delay often experienced. We are using the PIX VPN accelerator cards in both PIX's. Both the PIX and 3620 routers do not appear to be over utilised from cpu and memory utilisation stats but i suspect the accelerator cards are struggling at periods of time. All data is encrypted based on a crypto map defind on the PIX's. Is it possible to only encrypt particular types of traffic and pass some traffic unencrypted and/or can anyone suggest a method of logging traffic through the bridged routers (all traffic currently encrypted) or PIX to gauge throughput and monitor the performance of the accelerator card to see if it is struggling with the data. Any other thoughts on how to monitor/proceed would be appreciated.

3 REPLIES
Cisco Employee

Re: PIX 515 to PIX 515 VPN performance problem

The traffic that is encrypted is dependent on the crypto ACL. I presume from your description you have that set to "permit ip any any", which is probably not the best solution. You can change this ACL to include whatever traffic you like, although stay away from defining down to the port level (eg, permit ftp, permit telnet, that type of thing).

Just make sure that whatever you define in the ACL on one PIX, that you have the exact opposite in the crypto ACL on the other PIX.

You don't mention what type of PIX's these are, but if you're pushing anywhere near 155Mbps of encrypted traffic through any type (even the 535 with a VAC) you're going to run into issues. The 535 is only rated to do 100Mbps of 3DES throughput with a VAC installed (see http://www.cisco.com/warp/public/cc/pd/fw/sqfw500/prodlit/vac_ds.htm), so if you have anything less than that you may well be oversubscribing the box.

New Member

Re: PIX 515 to PIX 515 VPN performance problem

Thanks for that,

We are using PIX 515's and they may be oversubscibed but from some basic logging I have been able to do it only looks like we are getting about 25-30 Mbps max and averaging around 8Mbps (1MB). At the same time users are constantly compaining of poor performance. I'm going to try and modify the crypto commands and see how we go.

thanks

Evan

New Member

Re: PIX 515 to PIX 515 VPN performance problem

Hi Evan

Dont forget to check out the MTU size

colin

150
Views
0
Helpful
3
Replies
CreatePlease login to create content