I have a site-to-site VPN configured between my office in Canada and Chile. Here's the specs:
Internet: 2Mpbs (burst to 10)
Firewall/VPN: PIX 506
Firewall/VPN: PIX 501
Only about three people there
OK, here's the thing: I have connectivity, but I want my Chilean people to be able to open Office documents on the Canada server. I don't want to have to have a server in Chile (too much support). Documents are getting duplicated and it's a pain for version control. However, because the link is so slow, we have to do this.
What I can't understand is why the link is so slow. We have fairly fat Internet links with no problems at the SP end (in fact, we're on our second SP in Chile, but it's still slow).
Hi Dave, the first thing to understand here is that the fact that both of your firewalls have a 2MB internet connection does not determine the speed of the path, since after your pix passes this information to your ISP there are several ways to get to your other PIX, first you would need to test your peer to peer connection, so I would go ahead and ping the public address of one pix to the public address of your other pix, then get the average transfer rate in miliseconds, now you remember hat this is plain text traffic, so you would need to reduce some miliseconds that is what the encryption/decryption process take.
One thing to look at too is that in most of the cases the problem is not really the path but the application type mainly Windows applications, these applications use a big packet size, which if not treated correctly causes packets to be retransmitted. What I would advise to do is to go ahaed and enable this command on both firewalls "sysopt connection tcpmss 1300"
You do not have to worry about any affection to your applications when applying this command, what this one does is that it intercepts the Syn packet from TCP speakers and change the MSS value from 1460 (default) and forces it to be 1300 so both tcp speakers will agree on having a Maximum Segment Size of 1300 which will cause the packets to be smaller hence preventing fragmentation issues.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :