Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
361
Views
0
Helpful
4
Replies

PIX-to-PIX VPN tunnel problem

rmv72
Level 1
Level 1

‎06-16-2005 02:33 AM - edited ‎02-21-2020 01:49 PM

I have PIX-to-PIX VPN tunnel.

i started ping to PIX2 outside interface and reply always stable ( near 50 ms) but if i ping PIX2 inside interface than reply is very various ( more 300 ms and until 1500 ms).

If i start ping to internal interface with packet size 10000 than i get reply near 1000ms but reply from outside interface still near 50-80 ms.

How to unserstand it and how to resolve it?

Labels:
0 Helpful
4 Replies 4

pkinzel
Level 1
Level 1

‎06-16-2005 07:58 AM

The encryption you are using may be killing system resources. What kind of encryption are you using? And which model of Pix?

I did some testing and found AES-128 to be the best bet for security and speed (AES-256 killed my 501 and 506s).

Login to PDM (at least version 3) and watch the Processor and Memory to see if they are getting maxed out.

0 Helpful

rmv72
Level 1
Level 1
In response to pkinzel

‎06-16-2005 09:42 AM

PIX 501E

PIX Version 6.3(3)

crypto ipsec transform-set AES esp-aes esp-sha-hmac

crypto map M 10 ipsec-isakmp

crypto map MOSCOW 10 set transform-set AES

crypto map MOSCOW interface outside

isakmp identity address

isakmp policy 20 authentication pre-share

isakmp policy 20 encryption aes

isakmp policy 20 hash sha

isakmp policy 20 group 2

isakmp policy 20 lifetime 86400

telnet timeout 60

-----------------------------------

CPU used near 20 %

Memore - 70%

--------------------------

I'm not shure which AES i used- 128 or 256?

0 Helpful

pkinzel
Level 1
Level 1
In response to rmv72

‎06-16-2005 10:11 AM

How many VPNs are running on the 501?

You are using 128-bit encryption for IPSec.

(crypto ipsec transform-set AES esp-aes esp-sha-hmac ). I haven't found the isakmp encryption to play a major role in slowdowns because that happens fairly quickly and infrequently.

As a test, create a test transform set for des encryption on both Pix's-

"crypto ipsec transform-set des-test esp-des esp-sha-hmac"

then change the encryption on the transform-set of each pix to des

no crypto map MOSCOW 10 set transform-set AES

crypto map MOSCOW 10 set transform-set des-test

This must be done on both Pix's and will lower your VPN encryption from AES-128 to 64-bit DES. You could, as a test, remove encryption all together to see what effect it has.

0 Helpful

rmv72
Level 1
Level 1
In response to pkinzel

‎06-16-2005 09:31 PM

Onle 1 VPN are running on the 501.

I tryed to use des encryption but it didn't help.

0 Helpful
Customers Also Viewed These Support Documents