Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

throughput limits on VPN connections?

We have an ASA 5520 in our central data center.  We are putting up a small branch office of 2 people which doesn't warrant an ASA 5505.  So my choices were the Linksys, Dlink, or Netgear garden variety VPN routers.

We selected a netgear prosafe, and after it was deployed we saw our user bandwidth go from 100 Mb supplied by the provider, sustainable while plugged into the provider's network equipment, hobbled down to 5 or 6 MB at the desk top.

I since learned the prodsafe has a serious limit on what real equipment might call "back plane" speed, that is to say the wan to lan-ports throughput is nothig like the gig port speed should supply.  I'm pretty sure that's the crux of the problem. But then I also read that VPN tunnels have a limit to begin on.

Meanwhile, researchig the Dlink DSR250, I find that it lists the firewall throughput as 45 MB and the VPN throughput as 35 MB.  If I read that right the best any one user back to our main office could hope for (because of the VPN tunnel) would be 35 MB, multiple users would split that up.  This appears to be related to RFC standards but I could be mistaken.

Question 1:  what is the theoretical site-to-site IPSEC VPN througput on the ASA5520?  That's what I have so that's going to be the final limiting factor.

Question 2:  What are others using in the way of low cost devices at branch offices to form VPN tunnels (instead of using a VPN client at the workstation for example)?  The Linksys 1200 allows me to "pass through" that client VPN traffic but not build a tunnel per se, at least according to the manual. I don't see the goold old WRT linksys equipment any more.

Question 3: of the devices people are using, how many are getting the throughput they would like given the service they are subscribed to?  That netgear prosafe has been dismal.  But I'm not sure what else is out there that would be much better. 

I'd love more cisco gear but it's just not in the budget. 

  • VPN
Super Bronze

Re: throughput limits on VPN connections?


With regards to the question 1 I can personally only refer to this as I have not tested this myself. It mentions the theoretical normal firewall throughput and also the theoretical VPN throughput.

We tend to use Cisco devices only in VPN setups so my choice for the "low cost" would usually be ASA5505. Though you already mentioned that this is not something that you would prefer to use because of cost in small offices. I do personally like the fact that we keep the Cisco ASA or Routers as VPN devices at all the sites we manage and it keeps the whole picture easier to manage when we dont have several different vendors and ways to configure the same thing.

I also have a hard time commenting on the throughput. There are 2 reasons atleast. Most of our bigger customers have a dedicated VPN devices hosted on our datacenters so they are usually devices that will probably never reach their performance limits. I mean the VPN device is usually a model that can more than handle the throughput the customer will ever need. This is especially the case with our VPN devices that have connections for several customers.

With regards to smaller customer and customers that have the VPN device at their own site they usually have such a low bandwith connection (ASDL, ADSL2+ , Symmetric connections up to 10Mbps) that they will never reach the limits of their lower end VPN device.

Only recent expirience related to VPN throughput was when I was connecting/building  a new 100/10Mbps connection for a local customer which wanted to move a Netgear VPN box from behind its old DSL connection to this new fiber connection. We immediately got calls that they were only getting below 10Mbps throughput with the VPN device and it doesnt really surprise me. I did suggest that the VPN connection would be handled through our Datacenter equipment rather than adding an extra box to the local network but I guess the remote end wants to use their own devices.

I don't personally see a Cisco ASA5505 as very big investment on its own, though I have to say the licensing related to the device is enough to drive some people off and I cant say that I like it that much either. I personally have 2 of them at home for testing. I am waiting that they would at some point reveal whats its follower in the X - series is going to be. (As ASA5505 has not been removed from the selection of ASAs yet like the other original ASA models)

Maybe you could try asking this question also on the Small Business section of the CSC? I have absolutely no expirience with those Cisco devices but to my understanding the Small Business devices might have some cheaper alternatives to Cisco ASA5505. Or then again they might be at the same pricerange with the ASA5505.

- Jouni

New Member

throughput limits on VPN connections?

Thanks, particulalry for that link that shows the theoretical performance and throughput of the ASA.  I always wondered about that!

I agree the 5505 is the way to go but, this is an unbudgeted project.  I think they have to settle for slow!

New Member

throughput limits on VPN connections?

Just curious, do you or anyone have any information on the speed that Cisco's VPN client is theoretically capable of?  It occurs to me maybe the answer is to dispense with a tunnel on these low-end devices and use the VPN client....

This widget could not be displayed.