Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Chriss Miller on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

VPN Accelerator 2

Status
Not open for further replies.
nix45

nix45

MIS
Joined
Nov 21, 2002
Messages
478
Location
US
We have a few offices that are on DSL connections. Each office is using a PIX 501 that establishes a VPN tunnel with our VPN Concentrator 3015 in the central office. We were thinking about replacing the PIX 501's with 1751 routers with a VPN Accelerator card installed in each router. Would this make a difference in terms of speed? Will it improve performance any? Each office has 10 or less people.

Thanks,
Chris
 
Sort by date Sort by votes
are you using IPSec or 3DES encryption? you can get the accelerator card for the PIX 500 series firewalls as well.

if im not mistaken, the card is basically a subprocessor board. it offloads the cpu utilization that comes with encryption so the device can operate its other functions more optimally. if you are not pegging out cpu utilization on that PIX currently I'm not sure the change is going to improve performance.
 
Upvote 0 Downvote
I think your right jdel. If the PIX isn't at or near 100% CPU utilization, a VPN accelerator card isn't going to do much. With only 10 users per office, the CPU utilization can't be all that high.

Chris
 
Upvote 0 Downvote
yeah the only way i could see the cpu utilization being high would be with 3DES, but even then with only 10 users it probably wouldnt be very high at all.

you might try using this link at each site to see what kind of throughput you're getting, and if it's very low on consecutive tests you may want to speak with your ISP about making sure your service is of the quality you expect.


there's another test you can run from (i think) DSLreports.com. unfortunately i dont have the site address for that in front of me.
 
Upvote 0 Downvote
No it will make little to no difference. The 501s are designed to deal with up to 10 vpn users, and can deal with 3DES IpSec. If there is a speed problem it is most likely dues to bandwidth at the sites, what else is using the line?

Incidentally, you cannot add accelerator cards to PIX 501s, they cannot be upgraded at all apart from flashing the FOS on them.

In my current job we have about 80 501s connecting to two 3005 concentrators, mostly over adsl connections. Some sites have less than 10 users, others have 50+. Not all of them have to use the vpn link, but all access the internet through the 501s. We get by in general not bad at all. What are people doing over the vpn connections? We use them to monitor servers, and use remote control software to servers and desktops when required (terminal services and other vendors remote control software)



CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
We use either 3DES or AES encryption. Is one technique faster than the other? Does one of these use more CPU time?

chicocouk, "Incidentally, you cannot add accelerator cards to PIX 501s, they cannot be upgraded at all apart from flashing the FOS on them."

--> I never said that I wanted to do this. I said that we were thinking about using 1751 routers with the VPN Accelerator cards.

We use the connections to run Citrix ICA sessions through the VPN tunnel.

chicocouk, what remote control software do yo use? We're using VNC right now, and it works okay, but we're looking for something better. We have both Linux and Windows clients.

Chris
 
Upvote 0 Downvote
I wouldn't replace a firewall with a router. :-)

A PIX 506E could be a good upgrade for you. Better yet, would be to use a Cisco Concentrator.
 
Upvote 0 Downvote
Nix45,

Hi, I know you didn't say you wanted to add accelerator cards to the 501s, but jdel said you can add them to the pix 500 series (which you can, on the larger pix in that range, he's right), but the 501s which you have can't be upgraded that way. I was just pointing that out in case you tried to go down that route, it's not an option.

AES versus 3DES, the following is from cisco's site;

"Advanced Encryption Standard
Advanced Encryption Standard (AES) is the latest industry encryption standard. It provides stronger and faster encryption (128b, 192b, and 256b).

AES delivers the following benefits:

Stronger Encryption—AES continues the trend of evolving encryption standards, in order to make it difficult or impossible to obtain access to sensitive corporate data. AES-128 is equal to 3DES-168, while AES-192 and 256 offer superior encryption strength.


Improved Encryption performance—AES also improves performance when using encryption, as it requires less processing overhead to achieve equal or better encryption, as compared to today's standards. This removes a major hurdle facing customers who want to deploy encryption without compromising the performance of their network, or for end users."

Quoted from this page:
As for remote control software, we use a variety of things (for historical reasons), including Computer Associates Remote Control Option, v6 and 7 (avoid 6 like the plague), vnc, dameware, terminal services (or remote desktop on xp machines) and pc anywhere.

Best performance seems to be using terminal services, although this is entirely subjective, it feels more responsive. There's little to choose between vnc, dameware and pc anywhere, but RCO 7 is actually quite good ... As for running any of them on linux, sorry, i can't help you there, it's not something we do

CCNA, MCSE, Cisco Firewall specialist, VPN specialist, wannabe CCSP ;)
 
Upvote 0 Downvote
I wouldn't replace a firewall with a router."
--> baddos, why not? Each remote office only contains workstations, no servers. We don't need any advanced firewall rules or anything, just basic stuff like NAT.

"A PIX 506E could be a good upgrade for you. Better yet, would be to use a Cisco Concentrator."

--> use a Cisco Concentrator in a remote office?

It sounds like our best bet is to just keep the 501's in place. I don't think that anything else will offer a significant performance boost. If I'm wrong, please correct me.

Thanks,
Chris
 
Upvote 0 Downvote
chicocouk, looks like we should use AES whenever possible. Sounds much better than 3DES in every situation.

I never heard of Dameware or CA's RCO, but I'll look into them. Citrix's remote control features work very well over low bandwidth, but you can only use them in a Citrix session obviously. VNC is real slow over an encrypted VPN tunnel, so we're looking for something a little better than that. Well anyway, I'm getting off topic so I'll shut up about this.

Thanks for your help guys.

Chris
 
Upvote 0 Downvote
--> baddos, why not? Each remote office only contains workstations, no servers. We don't need any advanced firewall rules or anything, just basic stuff like NAT."

There's more to firewalls than just NAT and access-lists. A PIX is stateful which is key.

"--> use a Cisco Concentrator in a remote office?"

Didn't catch the remote office part. If it's a remote office, go with a VPN Client 3002 or something similar. Built with VPN in mind.

If you want a router that does VPN, look at the Cisco 800 series instead of buying a multiservice router like the 1700 series.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

quazimotto
  • Locked
  • Question Question
Cisco ASA_5505 VPN to Juniper_SRX210 VPN IS UP_ No Traffic!!!!!!
Replies
0
Views
316
quazimotto
quazimotto
tviman
  • Locked
  • Question Question
Same subnet on each side of a VPN
Replies
2
Views
365
tviman
tviman
DigitalG
  • Locked
  • Question Question
cisco rv180 vpn tunnel between a rv130
Replies
0
Views
257
DigitalG
DigitalG
napoleao
  • Locked
  • Question Question
IPSec VPN
Replies
3
Views
426
napoleao
napoleao
whatwhatwhatwhat
  • Locked
  • Question Question
VPN problem. Please help!
Replies
2
Views
323
ngtri
ngtri

Part and Inventory Search

Sponsor

Back
Top