Cisco Support Community
Community Member

Question on VPN forwarding


I have a customer to is looking at an SA520 or SA540. He wants to use this as a firewall for a network with his customer. Behind this firewall there are going to be around 100 users that is going to connect by VPN traffic to some host outside this company network. So the SA520/SA540 is not going to terminate any VPN traffic but only forward it. On other products he has purchased there has been a limit on this. Is there any such limit on this VPN forwarding or will it just use the entire firewall throughput of 200/300 mpbs?

Kind Regards,


Cisco Employee

Re: Question on VPN forwarding

Hello Michael,

I found the following document :

Cisco SA 500 Series Security Appliance Models and Specifications

If you terminate IPSec sessions on the device then review the VPN section it details the encrypted throughput depending on encryption algorithm

and also mentions the performance test methodology: Maximum performance based on RFC 2544. All results are aggregate bidirectional. Actual performance may vary upon network environment and configuration.

If you do not terminate any IPSec VPN on the device, i.e. only forward ESP packets through it, then the throughput should be only

limited by the capacity of the device minus the overhead of the enabled features/functionalities, e..g  firewall, QoS, fragmentation.

You can find related guideline figures in the above mentioned document and you can consider the same performance test methodology.

Hope this helps,



CreatePlease to create content