Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1183
Views
0
Helpful
1
Replies

IPSec throughput on Pix 515E

david.tran
Level 4
Level 4

‎11-19-2011 06:15 PM - edited ‎02-21-2020 05:43 PM

According to Cisco datasheet, the Pix 515E has the following performances:

• Cleartext throughput: Up to 190 Mbps

• Concurrent connections: 130,000

• 168-bit 3DES IPSec VPN throughput: Up to 135 Mbps with VAC+ or 63 Mbps with VAC

• 128-bit AES IPSec VPN throughput: Up to 130 Mbps with VAC+

• 256-bit AES IPSec VPN throughput: Up to 130 Mbps with VAC+

• Simultaneous VPN tunnels: 2000

However, in my lab environment, I have a site-to-site VPN between a Pix515E and Cisco 3845 router, using AES-256/DH-5/SHA for isakmp and AES-256/SHA/PFS group5 for the site-to-site VPN, I can only push about 26Mbps IPSec traffics (tested with Iperf). CPU on the Pix515E is running

at 96% utilization

Now if I replace the Pix515E with another Cisco 3845 router, I can push about 100bps.

Anyone knows why such a big difference between the data sheet and actual real world

CiscoPix# sh ver

Cisco PIX Security Appliance Software Version 8.0(4)

Device Manager Version 6.1(5)51

Compiled on Thu 07-Aug-08 19:42 by builders

System image file is "flash:/pix804.bin"

Config file at boot was "startup-config"

CiscoPix up 19 days 14 hours

failover cluster up 19 days 14 hours

Hardware:   PIX-515E, 128 MB RAM, CPU Pentium II 433 MHz

Flash E28F128J3 @ 0xfff00000, 16MB

BIOS Flash AM29F400B @ 0xfffd8000, 32KB

0: Ext: Ethernet0           : address is 000d.28b1.a580, irq 10

1: Ext: Ethernet1           : address is 000d.28b1.a581, irq 11

2: Ext: Ethernet2           : address is 0005.5d18.ad00, irq 11

3: Ext: Ethernet3           : address is 0005.5d18.ad01, irq 10

4: Ext: Ethernet4           : address is 0005.5d18.ad02, irq 9

5: Ext: Ethernet5           : address is 0005.5d18.ad03, irq 5

Licensed features for this platform:

Maximum Physical Interfaces  : 6

Maximum VLANs                : 25

Inside Hosts                 : Unlimited

Failover                     : Active/Active

VPN-DES                      : Enabled

VPN-3DES-AES                 : Enabled

Cut-through Proxy            : Enabled

Guards                       : Enabled

URL Filtering                : Enabled

Security Contexts            : 2

GTP/GPRS                     : Disabled

VPN Peers                    : Unlimited

This platform has an Unrestricted (UR) license.

Serial Number: xxxxx

Running Activation Key: 0xxxxxx ccxxxx 0xxxxxx 0xxxxx4

Configuration last modified by enable_15 at 13:15:05.485 UTC Sat Nov 19 2011

CiscoPix#

CiscoPix#  sh cpu usage

CPU utilization for 5 seconds = 95%; 1 minute: 95%; 5 minutes: 94%

CiscoPix#

Labels:
0 Helpful
1 Reply 1

andrew.prince
Level 10
Level 10

‎11-20-2011 01:18 AM

your device does not have a VAC card.

Sent from Cisco Technical Support iPad App

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents