VAC+ Cards Question

mcsfirewall · ‎06-03-2005

We have a site-to-site and don't really have the bandwidth we thought we would. It still seems a little slow. We were hoping for more speed.

My question is two-fold:

1. Would getting a PIX VPN Accelerator Card speed it up?

2. Do you need two cards (one at each end) or will one provide an increase in performance?

Thanks in advance

andrew.slater · ‎06-04-2005

Hi there,

The VAC is designed to take over the encryption processing from the CPU and unless you find the CPU on your PIX is excessively high it won't do anything to speed up the s2s tunnel. Anything over a constant sustained 30% usage would point to advantages in either upgrading to a VAC (if crypto load is high) or upgrading your PIX.

For the answer to your second question, picture a sitauation where you might have many remotes sites connecting to one central PIX in a hub and spoke topology. For each remote site, the crypto load is relatively low as it is only affected by the local traffic but at the central site, all spokes are connected and so crypto load would be high. In this situation you'd employ a VAC at the hub and not at the spokes. So reading between the lines of your question, there is no requirement to having VACs at both end of a s2s tunnel.

If load isn't the issue, I'd take a look at the MTU and MSS sizes that you've got setup. You may find that your s2s speed issues are a result of excessive fragmentation. Try pinging with increasingly larger packet sizes across the tunnel with the don't fragment bit set and find out at what size the packets start getting dropped.