Does anyone know whether the SEP is supposed to handle encryption for PPTP? We have SEPs in our VPN3030s and from our traffic and CPU stats it looks as though they don't, but all the documentation we can find refers to the SEP-E and implies that it does support PPTP. Sigh...
Sam SEP supports DES and 3DES SEP-E supports DES, 3DES, AES
PPTP and SSL(webvpn) are done by CPU
Q=2E What hardware changes are being introduced with Cisco=AE VPN 3000 Concentrator Software v4.0?
A=2E Cisco VPN 3000 Concentrator v4.0 introduces a new Scalable Encryption Processing (SEP) module known as the SEP-E. The SEP-E is supported with v4.0 and later software only. Older modules will also be supported with v4.0. The SEP-E module adds support for high-speed Advanced Encryption Standard (AES) encryption, in addition to Data Encryption Standard (DES) and Triple DES (3DES). Prior SEP modules will continue to support AES in software.
Umm. That's even more confusing than I thought. The release notes for
4.1.7F have a table under which shows up to 1500 PPTP users for a VPN3030 with 128MB and a SEP-E. If neither the SEP nor the SEP-E is used for PPTP the our similar box with the SEP should offer the same performance. Why is that we run out of CPU (but have loads of spare memory) at about 70 PPTP users? Or is that table not saying what it seems to?
Cisco Systems, Inc./VPN 3000 Concentrator Version 4.1.7.J Dec 20 2005
16:50:06 RAM Size: 128 MB (Memory Status: Green)
System Ethernet Status Expansion Modules Status Int #1 Int #2 Int #3 Mod #1 Mod #2 Mod #3 Mod #4
-------------------------------------------------------------------- GREEN ON ON ON INS/OK EMPTY INS/OK EMPTY
Fan Power Supplies CPU Active Status Sup #1 Sup #2 Utilization Users Throughput
---------------------------------------------------------------- GREEN GREEN GREEN 100% 8% 9%
Total Memory: 128 MB Memory Status: Green Total Block Usage: 23%
Active LAN-to-LAN Sessions: 0 Active Remote Access Sessions: 123 Active Management Sessions: 1 Total Active Sessions: 124 Weighted Active Load: 123 Percent Session Load: 8.20% Total Active Sessions: 124 Peak Concurrent Sessions: 157 Total Cumulative Sessions: 2464
Um. Our busiest 5 minute average this afternoon on the most heavily loaded interface (it has three but I'm not sure how to interpret the traffic stats) was 23.28Mbps output, 13.80Mbps input. I can't tell you for sure what the protocol mix was then. At theis time (6pm - yes I'm going home) we have about 15Mbps in, 8Mbps out with 79.8% of 118 sessions on PPTP and I have no reason to suppose it was very different during the afternoon. We don't think that the 20% of IPSec users are consuming the bandwidth - anecdotal evidence suggests the service they see is just as poor as the PPTP users'. FWIW the all time high was
49.82Mbps out, 24.52Mbps in but I can't tell you the protocol mix then either.
4Mbps max, eh? :-)
I'll keep looking at that one and my colleague who understands the configuration better will be back tomorrow.
Yes indeed, but it looks as though our PPTP users are getting well over
4Mbps on aggregate - in fact we seem to have single users getting well over that rate. The table at suggests 9-18Mbps (see the footnote for the higher figure) though it's not at all clear what that means. For a box with 3*FE interfaces that seems a little puny, but the bigger boxes are hardly any better.
Mind you, that's the page that talks about 1500 IPSec, PPTP and L2TP sessions. Perhaps that means it will allow that many to connect so long as they don't actually try to do any work. :-)
Ah well, thanks for your time. I'm still confused but I'm still not sure I understand the documentation. I guess we could try to persuade all our users to switch to IPSec using the Cisco client rather than the Microsoft one, or we could just junk the box and buy our way out of the situation.
all those datasheets are so vogue and controversial - it's really hard to get a plain answer.
Moving to IPSEC client would be a really good idea. It's more secure, it's a relief for the box and works practically ANYWHERE. Our sales folks are using it from all kinds of hotels with all kinds of nasty security policies in place ;-)
We're in a rather different situation - we're providing service to a whole load of academics. Since we've found that PPTP works (and we believed the release note that says 1500 users) it's now difficult to go and say sorry, but you've got to install this piece of new software. Responses are likely to range from arguments about academic freedom to people saying "the last time I installed something new my computer was broken for a week". This last is not that uncommon, unfortunately... :-(
In fact for now we've started applying policy maps to limit the less legitimate traffic to 2Mbps (the non-Web, non-SSH, non-email etc. traffic is mostly p2p filesharing so far as we can tell). That seems to be helping.