How can I measure encryption performance on my PIX's?
We have a couple very old 506E at remote locations connecting to a PIX 515E here and performance is not up to snuff.
I am looking at my VPN devices and if the encryption I am asking it to perform is too much and I am maxing out on either memory or CPU. We are using AES 128 MD5 for the connections and I would like to gather some statistics and then maybe change to Single-DES and see if the numbers improve.
Thank you for you help in giving me any direction at all.
The speed of IPSec is -strongly- influenced by latency, especially if the IPSec has to fragment the packets in order to get them through the network after all of the IPSec headers have been added. (And if you are on ADSL, you might have PPPoE overhead to deal with as well.)
Do your 506E's have new enough software to know about "mss adjust" ? And have you made sure that you are permitting all ICMP fragmentation-required responses to get through? Recall that those packets can come from -anywhere- along the line, so for proper Path MTU Discovery (PMTUD) you need to allow in that ICMP major type from "all".
I was really down for a while on the performance of the 501s as remote X connections to our remote offices were dog slow. The remote office happened to ship me the 501 for work and I bench tested IPSec performance, two 501's back-to-back. The performance I could measure then was entirely acceptable for our needs -- it wasn't the full 3 Mb/s from the 501's documentation, but it was about 1.5 Mb/s or 2 Mb/s. And any discrepancy between that lab test and the ~223 Kb/s we saw in the field was latency in action (about 1000 km worth): a faster PIX wouldn't have helped the situation much.
The speed of IPSec is -strongly- influenced by latency, especially if the IPSec has to fragment the packets in order to get them through the network after all of the IPSec headers have been added. (And if you are on ADSL, you might have PPPoE overhead to deal with as well.)
Do your 506E's have new enough software to know about "mss adjust" ? And have you made sure that you are permitting all ICMP fragmentation-required responses to get through? Recall that those packets can come from -anywhere- along the line, so for proper Path MTU Discovery (PMTUD) you need to allow in that ICMP major type from "all".
I was really down for a while on the performance of the 501s as remote X connections to our remote offices were dog slow. The remote office happened to ship me the 501 for work and I bench tested IPSec performance, two 501's back-to-back. The performance I could measure then was entirely acceptable for our needs -- it wasn't the full 3 Mb/s from the 501's documentation, but it was about 1.5 Mb/s or 2 Mb/s. And any discrepancy between that lab test and the ~223 Kb/s we saw in the field was latency in action (about 1000 km worth): a faster PIX wouldn't have helped the situation much.
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.