Re: [FW-1] Performance issues VPN-1 <> Netscreen

Subject:	Re: [FW-1] Performance issues VPN-1 <> Netscreen
From:	"fw AT doehni.dyndns DOT org" <fw AT DOEHNI.DYNDNS DOT ORG>
To:	FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date:	Mon, 28 Jul 2003 11:51:23 +0200

> When I try to copy a large file from a client behind the Checkpoint
> to a client behind the Netscreen a get at most 2Mbps. When I copy
> the same file in the other direction I get at most 4Mbps. Since the
> firewalls will be connected through a 100Mbps WAN connection this sounds
> like a very big waste.
>
> Unfortunately I couldn't figure out where the bottleneck is.
> The CPU load on the Sun firewall goes up to 40% (that's rather
> high but shouldn't be a problem). The Netscreen reports up to 15%
> CPU load (dedicated hardware has its advantages).  The network segment
> in the middle is hardly loaded (tried different types of switches and
> hubs, doesn't make a difference).  The clients are not loaded either
> (copying something over the local network goes a lot faster).

Nico,
the nescreen firewall used ASIC based technology - the hole encrytion is done
in the ASIC ... it doesnt make sense to check the cpu of the netscreen while
copying files via vpn link.

the latest build of netscreen os is 4.0.0r10 - i suggest to use this release
because of a lot of addressed issues in 4.0.0r2.

btw

1) use iperf, ttcp or large ftp file to test performance
2) try increasing the window size on src or dst
3) try setting "set flow path-mtu" on ns or better set flow
tcp-mss 1300 to help eliminate occurrences of frag'ed IPSec packets
4) check netstat -s if there are any restransmits increasing (on dst and src)
5) nat-t will decrease your performance

bye
ad




> Any idea whether there is some setting on the Checkpoint or Netscreen
> that could limit the bandwidth a VPN can take?

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================

<Prev in Thread]	Current Thread	[Next in Thread>
[FW-1] Performance issues VPN-1 <> Netscreen, Nico De Ranter Re: [FW-1] Performance issues VPN-1 <> Netscreen, fw AT doehni.dyndns DOT org <= Re: [FW-1] Performance issues VPN-1 <> Netscreen, Leonardo Boulton Re: [FW-1] Performance issues VPN-1 <> Netscreen, fw AT doehni.dyndns DOT org

Previous by Date:	Re: [FW-1] NG AI VRRP Anti-Spoofing, Alex Chircop
Next by Date:	Re: [FW-1] TCP connection timeout, Figaro, Nicolas
Previous by Thread:	[FW-1] Performance issues VPN-1 <> Netscreen, Nico De Ranter
Next by Thread:	Re: [FW-1] Performance issues VPN-1 <> Netscreen, Leonardo Boulton
Indexes:	[Date] [Thread] [Top] [All Lists]