1

We have a site to site IPSEC VPN, both endpoints are Cisco PIX 515e's. The links at both end are 100mb, however speeds over the VPN (logged using jperf) are at most 4mb. Obviously this represents a HUGE gulf in the speeds we feel we should be getting. I appreciate there will be overheads for the VPN but surely not that much. Looking in to it, all interfaces on both PIX's have their MTU set to 1500. Running some tests to check the path MTU shows as follows:

Over VPN Tunnel

SITEA -> SITEB = Path MTU 1300

SITEB -> SITEA = Path MTU 1434

Not using VPN Tunnel

SITEA -> SITEB = Path MTU 1500

SITEB -> SITEA = Path MTU 1500

So; prior to the tunnel being created, the path MTU suggests an interface MTU of 1500 would be ok. However running the same tests over the VPN return lower suggested MTU's, and different ones at that.

Should we drop the MTU's on our PIX's to either one of the 1300/1434 values suggested or is that a red herring? And; if we do drop the MTU's to these values, will we also need to change the MSS accordingly (currently default on both devices).

Any guidance would be appreciated as this isn't a link we can try 101 things on without good cause, due to the nature of the business and the link.

Many thanks in advance.

mbuk2k
  • 139
  • 1
  • 2
  • 9
  • Do you have a VAC (vpn acceleration card)? Maybe show version or show modules will show it. – 3molo Jan 10 '14 at 10:44
  • Nope, would that restrict the speeds to such a degree if we don't? – mbuk2k Jan 10 '14 at 10:57
  • Also check for speed/duplex mismatch. 515e's are old enough they probably don't auto-negotiate reliably. – cpt_fink Jan 14 '14 at 04:13
  • Interestingly, we've installed a VAC and it's not made much difference. Checking on what you said cpt_fink; one end is set to 100mb full, and the other other of the VPN set to auto-neg. Unsure if this 'mismatch' could be causing an issue but we'll try setting the auto-neg end to 100mb full to see if that makes any difference. – mbuk2k Jan 14 '14 at 10:46

1 Answers1

1

Although Cisco quotes some quite high "up to" figures for the 515E VPN throughput these are like most such figures doubtful at best. The study below has some comparisons based on various throughput scenarios and includes the 515E.

http://www.tolly.com/TS/2002/WatchGuard/Firebox%20V60/Test%20Summary/TollyTS202164WatchGuardFireboxJan03-print.pdf

Realistically I think for a 515E doing other work as well you are most likely getting the best you can expect.

With regards your specific question I wouldn't recommend reducing the MTU manually as this increases the overhead in terms of more packets being sent and has a negative impact on VPN performance (as seen in the linked study again). The MTU reduces itself over the VPN because once the original packet is encrypted headers must then be added to direct the encrypted packet to the other VPN endpoint.

I am afraid you will most likely need to purchase the VPN accelerator module or use an older, less secure but more performance friendly encryption algorithm.

Sam
  • 106
  • 2
  • You are spot on...3molo got me on the right track wondering why they'd sell a VPN accelerator card that can handle up to 100mb/s throughput, which made me think, supported by your reply Sam that the 515e probably can't cope with those speeds anyway. Looking in to it further, the max throughput for a stock 515e (i.e. no VAC installed) is 22mbps with a Restricted licence and 63mbps for Un-Restricted. Thank you both for your replies!! – mbuk2k Jan 10 '14 at 14:55