[Note: original discussion in comp.security.firewalls, but I am shunting it over to comp.dcom.sys.cisco as it is getting PIX specific.]
In article , Mike Bailey wrote: :Mike Bailey wrote: :> We currently have a PIX 506e and seem to be running into some :> hardware limitations when using VPN according to Cisco. They are :> recommending upgrading to the 515.
:We have a high speed DSL coming in.
:Originally our goal was :to be able to run our accounting package trough a vpn. At the time we :had an eSoft Instagate (instaHate as I call it) which had built in vpn, :but was s-l-o-w when we tried using it. We were told by our isp that we :could change the MTU, but found you can't do that with the :Firewall-For-Dummies, so we purchased the PIX506e. Went through a month :of tech support with Cisco and was never able to get it working "right". : I finally gave up on the idea of running the accounting application :and was going to just settle on being able to map to our user folders :for file access. But, ran into speed problems there also.
Mike, unless you happened to omit mention of a need for a DMZ or for being able to relay traffic between two remote locations, or needing really huge numbers of simultaneous connections, then the
515/515E would not have any noticable advantage over the 506E in the circumstances you describe.
If your high speed DSL is 8/8 ADSL (8 megabits/s in each direction) and you were running it flat out, then the PIX 506E could be running low on ommph if you were using 3DES, but that would be easily remedied by switching to AES-128.
The first thing I would check for in your situation is duplex problems.
The second thing I would check is the MTU and the sysopt connection tcpmss size; and right after that I would look at the flows you are permitting to be sure that everything is in place for Path MTU Discovery, after which it would be time for a quick check of the endpoints to see whether they have Path MTU Discovery turned on.
Likely the third thing I would check would be the log messages to see if there was anything interesting.
After that, I would do some ping and ttcp tests, to try to isolate whether the VPN itself is slow or whether the problems are end-to-end.
I suggest that this matter be followed up in comp.dcom.sys.cisco (newsgroups follow-ups already set.)