I have a PIX and a Firebox SOHO connected through a IPSec VPN. The traffic over the VPN is quite slow compared to non-VPN traffic tested between the same 2 sites. Does anyone have any suggestions about troubleshooting this problem? Has anyone used a similar setup (ie. a firebox with a pix) and how did it work out?
Another problem is that the connection needs to be rekeyed every 2 days. Does this sound like it could be related to overusage of the firebox? The Firebox is a small version designed for small offices. We have a full T-1 at both locations.
The PIX (at least mine) has a second processor to run the encryptations algoritms that happens to be heavy calculations... maybe Firebox has not that second processor so the encrypted communications goes slower that the clear text ones.
"Chad" escribió en el mensaje news: firstname.lastname@example.org...
The SOHO units are the bottom end of the Firebox line, they are designed for small offices (5-10 nodes), with an upgrade to 25 or 50 nodes. I have installed many of them in locations with less than 25 nodes and used the IPSec tunnel feature to connect to the home office. If you have the SOHO 6tc unit, I have not found them to be a performance problem, when connected to a T1 I find that we get about line speed over the VPN to the home office.
In locations where we've selected a non-SOHO product, I've seen problems with MTU size with some ISP's. We've had to change the MTU down as low as 1400's in some locations in order to get any real performance.
One other thing we've seen, intermittent connections on the WAN site - where the VPN units are dropping out, but only long enough to cause the VPN to resync and not drop the web browsing functions. What I mean is that the VPN tunnel traffic drops, resync's, and yet the users don't have a problems accessing the web (since it's not through the VPN) since it's only a blip. We had to drop one ISP due to this, worked with them for 6 months and they could not fix their problem - new ISP works fine with the same hardware on our end.
How about telling us what version of the PIX and firmware you have, and same for the SOHO unit - there are a couple SOHO's and we need to know the firmware level too.
The key should regen every 24 hours (or sooner) by default, it's automatic, no manual intervention required. If you have to manually key it each 2 days then you don't have something configured correctly.
Post the PIC model, Firmware rev and the same for the SOHO.
I agree with Leythos, I have had several VPN installations where the MTU needed setting to 1400 otherwise it was either slow or didn't work for some functions (drive mapping is the usual one). Use a utility called DrTCP which you can download from here
,and it is also useful for ADSL users to get better cleartext throughput, see article on same site at