Firewall-1
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[FW-1] Checkpoint vpn performance on SPLAT

from cisco4ng [Permanent Link]
Subject: [FW-1] Checkpoint vpn performance on SPLAT
From: cisco4ng <cisco4ng AT YAHOO DOT COM>
To: FW-1-MAILINGLIST AT AMADEUS.US.CHECKPOINT DOT COM
Date: Fri, 23 Dec 2005 08:17:20 -0800 
I have a SPLAT box running NG AI R55w with HFA_04.  The hardware
is a Dell dual Pentium III (550Mhz) processor with 1GB of RAM.  
This box is running as an enforcement module only and being managed
by provider-1.
   
  It seems like I can not push more than 8MB of IPSec traffics on this
SPLAT box.  The splat box has two vpn tunnels between a cisco VXR7206
and a cisco Pix535.  Both of these cisco devices is capable of pushing
well above 80MB of IPsec traffics (I tested it). 
   
  However, when I use SmartView monitor to measure the IPSec throughput,
the splat can not seem to push beyond 8MB of Ipsec traffics.  There
are no other traffics on the SPLAT box other than IPSec traffics.
  I have servers behind the SPLAT and when I test regular traffics, I can
see the splat pushing about 70MB of throughput of regular traffics.
However, with IPSec traffics, I can not go beyond 8MB.
   
  I checked layer 2 switches and everything is set to 100 full-duplex.  We
are using both Cisco 3550 and cisco 6509 switches.  No errors on the
switchports.
   
  I have Performance Pack enable on my splat box so that I can off-load the
vpn traffics to the second cpu.  I am using AES-256/sha1/DH group5 for both
phase I and phase II.  I am also using pfs in phase II.
  I am also seeing that the CPU utilization never goes beyond 25%.  
   
  How can I improve the vpn performance on my SPLAT box?  I want to improve
IPSec throughput to about 20MB or so.  I do NOT want to upgrade my hardware
or buy VPN acceleration card. 
   
  Is it possible to do that?
   
  TIA


                
---------------------------------
Yahoo! Photos
 Ring in the New Year with Photo Calendars. Add photos, events, holidays, 
whatever.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to LISTSERV AT amadeus.us.checkpoint DOT com
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
fw-1-owner AT ts.checkpoint DOT com
=================================================
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [FW-1] Firewall dropping packets, Tauseef Khan
Next by Date:  Re: [FW-1] Firewall dropping packets, Lindsay Hill
Previous by Thread:  [FW-1] Masami Nagata is out of office, Masami Nagata
Next by Thread:  Re: [FW-1] Checkpoint vpn performance on SPLAT, Ray
Indexes:  [Date] [Thread] [Top] [All Lists]