We have 3DES site to site VPN's using PIX firewalls. Right now we map to some shares in each others locations and it is very slow is there anyway to speed up traffic through the VPN? I am in Huntsville Alabama we are connected to St.Louis, Albuquerque New Mexico, and somewhere in Maine. The brunt of our traffic is to the St.Louis office. The other reason I ask is we have an Exchange 2000 server here in Alabama that may become the central mail server for the company which would mean people from New Mexico and St.Louis would be connecting to Exchange through the VPN and I need to know if it is feasible or is there going to be way too much overhead?
Tek-Tips is the largest IT community on the Internet today!
Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!
-
Congratulations TouchToneTommy on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!
PIX to PIX traffic slooowww any suggestions
- Thread starter westarhsv
- Start date
- Thread starter
- #3
We don't have VPN accelerator cards in ours, mine is a 506E, St.Louis has a 515 and New Mexico has a 506E. Do they make those cards for a 506E? All locations have full T1's for bandwidth. Would lowering the encryption level to DES make any difference? There would be like 60 people connecting through the VPN to Exchange, I figured it would be too much for the VPN to handle.
I don't think a 506E can have a VPAC, but I know the 515 can. W/ a full T1, I would recommend the 60 people office have their own exchange server with site replication. It would save on bandwidth and provide a much faster email experience.
I don't think backing down from 3DES to DES will save on bandwidth, but it will help on the PIX(s) CPU. I would try to go w/ 3DES first, and only go to DES if your hardware can't handle the load.
I don't think backing down from 3DES to DES will save on bandwidth, but it will help on the PIX(s) CPU. I would try to go w/ 3DES first, and only go to DES if your hardware can't handle the load.
HI.
Use PDM (or other tools) to monitor your pix resources usages on both devices, while transferring data at full capacity. (The pix506 CPU might be the weakest link).
You should also monitor bandwidth usage at both sides, using PDM, MRTG, or other 3rd party products.
You can try to upgrade both devices to the new version 6.3 .
This version supports AES (I think) which might be less cpu intensive (Again - I'm not sure about this).
You should check if playing with MTU makes any difference. Monitor for fragmented packets, and play with "ping -f -l ..." . I have found in some places that a low MTU (at the hosts - not at the pix) fixes some similar problems.
But the major improvements can be gained at the OS and application levels. Some examples:
Using FTP can be faster in then MS file sharing.
Implementing a terminal server at the main site will probably give you much better performance and minimize bandwidth usage. The branch office users will then use it for accessing the Exchange server and files stored at the main office.
To conclude -
Monitoring will give you important info.
App/OS solutions can do a very significant change.
Bye
Yizhar Hurwitz
Use PDM (or other tools) to monitor your pix resources usages on both devices, while transferring data at full capacity. (The pix506 CPU might be the weakest link).
You should also monitor bandwidth usage at both sides, using PDM, MRTG, or other 3rd party products.
You can try to upgrade both devices to the new version 6.3 .
This version supports AES (I think) which might be less cpu intensive (Again - I'm not sure about this).
You should check if playing with MTU makes any difference. Monitor for fragmented packets, and play with "ping -f -l ..." . I have found in some places that a low MTU (at the hosts - not at the pix) fixes some similar problems.
But the major improvements can be gained at the OS and application levels. Some examples:
Using FTP can be faster in then MS file sharing.
Implementing a terminal server at the main site will probably give you much better performance and minimize bandwidth usage. The branch office users will then use it for accessing the Exchange server and files stored at the main office.
To conclude -
Monitoring will give you important info.
App/OS solutions can do a very significant change.
Bye
Yizhar Hurwitz
- Status
Similar threads
- Locked
- Question
- Locked
- Question