[FW-1] Performance issues VPN-1 <> Netscreen

Subject:	[FW-1] Performance issues VPN-1 <> Netscreen
From:	Nico De Ranter <nico AT SONYCOM DOT COM>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 28 Jul 2003 10:37:29 +0200

Hi,

I'm setting up a VPN between a Checkpoint VPN-1 NG.FP3
firewall running on a Sun V120 and a Netscreen 25 running
ScreenOS 4.0.2. The encryption used is 3DES (since that seems
to be the only common encryption scheme).  The firewalls
are currently connected directly via a 100Mbps switch (for testing).

When I try to copy a large file from a client behind the Checkpoint
to a client behind the Netscreen a get at most 2Mbps. When I copy
the same file in the other direction I get at most 4Mbps. Since the
firewalls will be connected through a 100Mbps WAN connection this sounds
like a very big waste.

Unfortunately I couldn't figure out where the bottleneck is.
The CPU load on the Sun firewall goes up to 40% (that's rather
high but shouldn't be a problem). The Netscreen reports up to 15%
CPU load (dedicated hardware has its advantages).  The network segment
in the middle is hardly loaded (tried different types of switches and
hubs, doesn't make a difference).  The clients are not loaded either
(copying something over the local network goes a lot faster).

Any idea whether there is some setting on the Checkpoint or Netscreen
that could limit the bandwidth a VPN can take?

Nico

---------------------------------------------------------
 "It has been said that there are only two businesses that
  refer to customers as users: illegal drug trade and
               the computer industry."
---------------------------------------------------------
Nico De Ranter
Senior System Administrator
Sony Service Center (NSCE/VPE-B)
Sint Stevens Woluwestraat 55 (Rue de Woluwe-Saint-Etienne)
1130 Brussel (Bruxelles), Belgium, Europe, Earth
Telephone: +32 2 724 86 41 Telefax: +32 2 726 26 86
e-mail: nico.deranter AT sonycom DOT com

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Performance issues VPN-1 <> Netscreen, Nico De Ranter <= Re: [FW-1] Performance issues VPN-1 <> Netscreen, fw AT doehni.dyndns DOT org Re: [FW-1] Performance issues VPN-1 <> Netscreen, Leonardo Boulton Re: [FW-1] Performance issues VPN-1 <> Netscreen, fw AT doehni.dyndns DOT org

Previous by Date:	[FW-1] Remote Access Error, Ilia Shapira
Next by Date:	[FW-1] TCP connection timeout, Navin Mehra/MUM/IN/STTL
Previous by Thread:	[FW-1] Remote Access Error, Ilia Shapira
Next by Thread:	Re: [FW-1] Performance issues VPN-1 <> Netscreen, fw AT doehni.dyndns DOT org
Indexes:	[Date] [Thread] [Top] [All Lists]