PIX VPN encryption performance?
Bookmark this page:
 Yahoo!
 Google
 Windows Live
 del.icio.us
 digg
 Netscape
|
|
||||||||||||||||||||||
|
Posted by just bob on September 24, 2008, 11:31 am
Please log in for more thread options How can I measure encryption performance on my PIX's? We have a couple very old 506E at remote locations connecting to a PIX 515E here and performance is not up to snuff. I am looking at my VPN devices and if the encryption I am asking it to perform is too much and I am maxing out on either memory or CPU. We are using AES 128 MD5 for the connections and I would like to gather some statistics and then maybe change to Single-DES and see if the numbers improve. Thank you for you help in giving me any direction at all. -Bob | ||||||||||||||||||||||
|
Posted by Walter Roberson on September 24, 2008, 4:47 pm
Please log in for more thread options >How can I measure encryption performance on my PIX's?
>We have a couple very old 506E at remote locations connecting to a PIX 515E
>here and performance is not up to snuff. The speed of IPSec is -strongly- influenced by latency, especially if the IPSec has to fragment the packets in order to get them through the network after all of the IPSec headers have been added. (And if you are on ADSL, you might have PPPoE overhead to deal with as well.) Do your 506E's have new enough software to know about "mss adjust" ? And have you made sure that you are permitting all ICMP fragmentation-required responses to get through? Recall that those packets can come from -anywhere- along the line, so for proper Path MTU Discovery (PMTUD) you need to allow in that ICMP major type from "all". I was really down for a while on the performance of the 501s as remote X connections to our remote offices were dog slow. The remote office happened to ship me the 501 for work and I bench tested IPSec performance, two 501's back-to-back. The performance I could measure then was entirely acceptable for our needs -- it wasn't the full 3 Mb/s from the 501's documentation, but it was about 1.5 Mb/s or 2 Mb/s. And any discrepancy between that lab test and the ~223 Kb/s we saw in the field was latency in action (about 1000 km worth): a faster PIX wouldn't have helped the situation much. | ||||||||||||||||||||||
|
Posted by Walter Roberson on September 24, 2008, 8:20 pm
Please log in for more thread options
>How can I measure encryption performance on my PIX's?
>We have a couple very old 506E at remote locations connecting to a PIX 515E
>here and performance is not up to snuff. The speed of IPSec is -strongly- influenced by latency, especially if the IPSec has to fragment the packets in order to get them through the network after all of the IPSec headers have been added. (And if you are on ADSL, you might have PPPoE overhead to deal with as well.) Do your 506E's have new enough software to know about "mss adjust" ? And have you made sure that you are permitting all ICMP fragmentation-required responses to get through? Recall that those packets can come from -anywhere- along the line, so for proper Path MTU Discovery (PMTUD) you need to allow in that ICMP major type from "all". I was really down for a while on the performance of the 501s as remote X connections to our remote offices were dog slow. The remote office happened to ship me the 501 for work and I bench tested IPSec performance, two 501's back-to-back. The performance I could measure then was entirely acceptable for our needs -- it wasn't the full 3 Mb/s from the 501's documentation, but it was about 1.5 Mb/s or 2 Mb/s. And any discrepancy between that lab test and the ~223 Kb/s we saw in the field was latency in action (about 1000 km worth): a faster PIX wouldn't have helped the situation much. | ||||||||||||||||||||||
|
Posted by Tilman Schmidt on September 25, 2008, 12:18 pm
Please log in for more thread options
just bob schrieb: > We have a couple very old 506E at remote locations connecting to a PIX 515E
> here and performance is not up to snuff. > > I am looking at my VPN devices and if the encryption I am asking it to > perform is too much and I am maxing out on either memory or CPU. We are > using AES 128 MD5 for the connections and I would like to gather some > statistics and then maybe change to Single-DES and see if the numbers > improve. In a similar situation, I found plotting the CPU load of my PIXen with MRTG very instructive. HTH T. -- Please excuse my bad English/German/French/Greek/Cantonese/Klingon/... | ||||||||||||||||||||||
| Similar Threads | Posted |
| PIX VPN encryption performance? | September 24, 2008, 11:31 am |
| 871 and AES hardware encryption. | July 25, 2005, 1:22 pm |
| Encryption WITHOUT IPsec | September 22, 2008, 9:51 am |
| which version of IOS supports AES encryption for SNMPv3? | May 1, 2006, 10:52 am |
| [X-post] L2TP with CA authentication, no encryption. | August 7, 2006, 11:09 am |
| wireless encryption without pre-shared keys? | September 9, 2008, 1:58 pm |
| how can i set up MPPE encryption on cisco 3725 router? | November 1, 2006, 9:07 am |
| Highly dynamic network with encryption and multicast | September 29, 2008, 4:26 pm |
| Encryption on AIR-BR350 as access point with third party clients | September 1, 2008, 4:20 pm |
| WAN performance | November 27, 2006, 2:10 pm |
| VPN performance | May 2, 2008, 4:00 am |
| intermitten performance on VPN | July 28, 2005, 1:38 pm |
| switch performance | April 13, 2006, 3:29 am |
| performance testing | August 9, 2006, 4:54 am |
| Poor FTP performance with 837 | October 1, 2006, 3:01 am |