Choosing a Firewall

Our needs are pretty simple I guess. We are a small, one office company. We have a high speed DSL coming in. I also would like to be able to produce internal internet access reports which I know WatchGuard provides built in to a degree compared to the program by Stony Lake that I'm eval'ing right now for the PIX - cost $450. Originally our goal was to be able to run our accounting package trough a vpn. At the time we had an eSoft Instagate (instaHate as I call it) which had built in vpn, but was s-l-o-w when we tried using it. We were told by our isp that we could change the MTU, but found you can't do that with the Firewall-For-Dummies, so we purchased the PIX506e. Went through a month of tech support with Cisco and was never able to get it working "right". I finally gave up on the idea of running the accounting application and was going to just settle on being able to map to our user folders for file access. But, ran into speed problems there also. As a benchmark, I compared connecting to the server from home using Remote Desktop and browsing a folder that has hundreds of files and folders. From the time I clicked on the folder and it displayed the full contents was a count of 1 compared to a count of 15 doing the same thing trough VPN.

Mike

[Note: original discussion in comp.security.firewalls, but I am shunting it over to comp.dcom.sys.cisco as it is getting PIX specific.]

In article , Mike Bailey wrote: :Mike Bailey wrote: :> We currently have a PIX 506e and seem to be running into some :> hardware limitations when using VPN according to Cisco. They are :> recommending upgrading to the 515.

:We have a high speed DSL coming in.

:Originally our goal was :to be able to run our accounting package trough a vpn. At the time we :had an eSoft Instagate (instaHate as I call it) which had built in vpn, :but was s-l-o-w when we tried using it. We were told by our isp that we :could change the MTU, but found you can't do that with the :Firewall-For-Dummies, so we purchased the PIX506e. Went through a month :of tech support with Cisco and was never able to get it working "right". : I finally gave up on the idea of running the accounting application :and was going to just settle on being able to map to our user folders :for file access. But, ran into speed problems there also.

Mike, unless you happened to omit mention of a need for a DMZ or for being able to relay traffic between two remote locations, or needing really huge numbers of simultaneous connections, then the

515/515E would not have any noticable advantage over the 506E in the circumstances you describe.

If your high speed DSL is 8/8 ADSL (8 megabits/s in each direction) and you were running it flat out, then the PIX 506E could be running low on ommph if you were using 3DES, but that would be easily remedied by switching to AES-128.

The first thing I would check for in your situation is duplex problems.

The second thing I would check is the MTU and the sysopt connection tcpmss size; and right after that I would look at the flows you are permitting to be sure that everything is in place for Path MTU Discovery, after which it would be time for a quick check of the endpoints to see whether they have Path MTU Discovery turned on.

Likely the third thing I would check would be the log messages to see if there was anything interesting.

After that, I would do some ping and ttcp tests, to try to isolate whether the VPN itself is slow or whether the problems are end-to-end.

I suggest that this matter be followed up in comp.dcom.sys.cisco (newsgroups follow-ups already set.)

When you say tht the 506e could be running low on "ommph" - what does that mean? Cisco has been working on this problem for over a month and was even esculated to the "senior techs". I would assume that they would have checked/tried these things. I do know that they tried adjusting the MTU for hte VPN connection, and at one time had me change the setting on my home PC's Cisco VPN Client. At any rate, I'm going to copy the things you suggested and email them to the Cisco techand ask if they were checked/tried.

Mike

:> If your high speed DSL is 8/8 ADSL (8 megabits/s in each :> direction) and you were running it flat out, then the PIX 506E :> could be running low on ommph if you were using 3DES, but that :> would be easily remedied by switching to AES-128.

:When you say tht the 506e could be running low on "ommph" - what does :that mean?

The -rating- for the 506E is 17 megabits per second 3DES. If you are using symmetric DSL with 8 megabits in each direction and doing heavy data transfers, then the 16 megabits resultant might be close to the -practical- limit of the 506E. But if you are using ADSL (asymmetric) then you probably don't have more than 8/5 or 8/2 which would be within the practical limits of the 506E. And the AES-128 rating on the 506E is 30 megabits per second, so even if your line is symmetric 8/8 then using AES instead of 3DES would leave you plenty of margin.

The quick way to find out if you are running into this kind of problem would be to show cpu usage

You might also want to show memory to see if you are running low on memory. Is your configuration fairly big? That's one of the differences between the models, the amount of memory.

:Cisco has been working on this problem for over a month and :was even esculated to the "senior techs". I would assume that they :would have checked/tried these things.

Ah... Cisco is a bit "hit and miss": sometimes you get -very- good people, and sometimes you get people that you have to educate before they even understand what the problem is. The senior techs are usually not too bad, but from time to time your problem lands in the hands of the wrong specialization at Cisco and the senior tech might true to solve the problem from the wrong viewpoint. You know the cliche, "If all you have is a hammer, then everything looks like a nail."

I'm curious as to what Cisco thinks the 515E would do for you that the

506E would not. If you happen to have that part of the discussion as email, I'd be interested in reading it, if you send it to my email.

[Interesting, we have some of your company's products at home.]

Sorry for the delay in responding. Turns out that the tech I was working with didn't have too much of a clue as to what was going on or especially what had been done and tested prior to him resulting in the case being escalated to him. I complained - strongly, and then my case was sent to another who was "the best". I've had one conversation with him where he wanted me to download a sniffer and run it on each end of the vpn and capture the results. Even though I asked for explicit instructions as to what they wanted me to do - I received none except to also download the documention. He could understand that I was asking "what do you want me to do once it is installed." He also requested that I run it at the same time at both ends - kinda hard to do when I can only be in one place (home or work) at a time. LOL.

Anyway, Cisco never said what exactly they though the 515e would do for me, only that my latency was a "hardware limitation" and that I should upgrade to the 515e.

I did ask about configuring the vpn to use the AES instead of the 3DES as you had suggested, but they didn't seem to excited about that and didn't want to try - not yet anyway.

I'm a little ticked right now that I haven't heard a word from them as of yet. I stressed that I was under a time limit here that if I do need to return the 506e, I have to act quickly. They obviously don't care nor understand the urgency...

One thing that did occur to me was that I was comparing the speed of browsing a directory through remote desktop with doing the same though VPN. Remote desktop displayed all folder contents in one second, vpn took 15. But, I'm thinking now that this is not an fair comparison as when using RD, I'm only transferring the screen "image" to my remote pc and all the "work" is being done onthe remote server, where as with the VPN I'm actually transferring data.

Mike