cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1550
Views
0
Helpful
4
Replies

PIX SIP throughput

Matthew Ralston
Level 1
Level 1

How many concurrent SIP channels should I expect to be able to make through a PIX firewall?

We currently have a PIX 515 with the SIP fixup enabled.

it worked fine for a low volume of traffic, but once we got to around 400-500 concurrent SIP calls the PIX started to struggle. Calls were dropping and other Internet traffic was intermittent. When I decreased the call volume it recovered and everything returned to normal.

Bandwidth wise, we were only using about 20MB, so I think that as it needs to inspect and remember SIP packets for the purposes of opening RTP ports, we probably hit a bottleneck in terms of either the PIX's CPU or memory capacity.

I've not seen any specs detailing how many SIP fixups a PIX (of any capacity) is able to handle.

I'm thinking of upgrading to a PIX 525 or PIX 535, but I'd like to know how many SIP calls they will be able to handle before committing.

Any advice would be greatly appreciated. Thanks.

4 Replies 4

mirober2
Cisco Employee
Cisco Employee

Hi Matthew,

As you noted, the first bottleneck for the number of SIP connections you can push through the firewall will be the available CPU and memory. There are no hard set numbers for this, as the number of concurrent SIP connections will depend greatly on a number of variables (including traffic profile through the PIX, CPU and memory utilization, etc.).

The data sheet for the 515E shows that it can do 130,000 concurrent connections (this is all connections, not just SIP), but keep in mind that these are based on very ideal conditions.

The best approach to find your max is to test this in your environment, which it sounds like you've already done (400-500 concurrent calls).

Also, if you're looking at upgrading hardware, I would suggest looking at the ASA platform instead. The PIX platform has already reached end-of-sale/end-of-life, and is approaching end of support:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/prod_eol_notice0900aecd8073fa36.html

Hope that helps.

-Mike

Hi Mike,

Thanks for the input. It seems like the try-and-see approach is probably the way I'm going to have to go. That makes it a little tricky when deciding what to upgrade to, but I think I can probably take the max connections figure of our current firewall together with the amount of SIP channels I've been able to get through it and using those as a benchmark pro-rata them up to estimate what size PIX I'm going to need.

Our current firewall is actually the older 515 (64MB) model (not a 515e) which apparently can do 128,000 concurrent connections.

I think SIP actually requires 3 connections per channel... SIP, RTP & RTCP. I might be wrong there, but as 128,000 / 3 = 42,666 is still WAY more than the 400-500 concurrent calls I was actually able to get through it it's probably not a useful stat.

Incidentally, we went down the PIX route (rather than ASA) because they're very cheap to pick up and I have an extremely tight budget. A PIX 525 costs us approx £150 on eBay, an ASA 5520 costs minimum £2000. (Yes, it might be a false economy in the long run, but ultimately the choice is not mine). As for the soon-to-expire support contract... well that would be me and it lasts as long as I work for the company!

I've done a few rough calculations...

If my PIX 515 (64MB, rated for 128,000 connections) can do 300 concurrent SIP calls (I'm being conservative), then:

PIX 525 (256MB, rated for 280,000 connections) should be able to do 656 concurrent SIP calls

PIX 535 (1GB, rated for 500,000 connections) should be able to do 1171 concurrent SIP calls

I am going to do some more stress testing to confirm how many concurrent SIP calls we can safely do, but do you think the logic behind the calculation sounds ok?

Cheers,

Matt

Hi Matt,

Your logic seems pretty solid there, but you may not see an exact 1:1 relationship as memory and concurrent calls increase for the reasons I mentioned before. Your calculations should help to provide a good baseline though. It's difficult to pinpoint exact values for this without doing some performance testing, so your action plan for moving forward sounds good.

Also, another important factor to keep in mind is the call setup rate (i.e. calls per second). This rate will be a smaller subset of the total number of concurrent calls that you'll be able to handle.

-Mike

Ok, thanks. I just wanted to make sure I wasn't missing some subtlety.

Well I'll do some more testing when I'm able and try to nail down a solid figure for how many calls we can do on the current PIX and take it from there. If I err on the side of caution then hopefully I won't go too far wrong.

- Matt

Review Cisco Networking for a $25 gift card