topic Re: iRe: Limitation IPsec VPN performance in General Topics

Limitation IPsec VPN performance

Sistemas_SanLucar — Mon, 02 May 2016 10:55:18 GMT

Hello

I have 2 PA-500 in active-passive mode (Pan-os 6.1.0)

In the model specification PA-500 shows that "IPsec VPN performance" is 50 Mbps.

I want to make an IPSec VPN tunnel with a cloud provider. The speed that gives me supplier for the tunnel is 100 Mpbs guaranteed.

Does this mean that my connection with cloud provider may not exceed 50 Mbps?

Can you clarify a little more what it means "IPsec VPN performance"?

Thank you

Re: Limitation IPsec VPN performance

Raido_Rattameister — Mon, 02 May 2016 11:27:25 GMT

Basically yes if spec sheet tells you that device max IPSec performance is 50Mbit then you can get 50Mbit connection.

What you can try is to configure multiple proxy id's.

Every proxy id mapping will mean seperate tunnel between endpoints and as seperate tunnels can be load balanced to different cpu's in Palo then it might give slightly better performance.

Re: Limitation IPsec VPN performance

Sistemas_SanLucar — Mon, 02 May 2016 19:23:19 GMT

Thanks for your reply.

If we change Pa-500 from active-pasive to active-active ,, it could balance the tunnel and therefore could gain a better Ipsec performance ?balance the tunnel and therefore gains Ipsec performance ?

Thank you

Re: Limitation IPsec VPN performance

Raido_Rattameister — Mon, 02 May 2016 22:23:46 GMT

Palo Alto has route based vpn.

It means it decides based on routing table if packet should be sent into tunnel.

If you have vpn to device that uses policy based vpn then other side decides based on policy (not routing table) if packet should be sent into tunnel.

Cisco call those policies encryption domains. Palo calls same thing Proxy id.

You don't need to configure Proxy id if vpn is between 2 Palos but you can still use them.

If you add multiple proxy id's then every proxy id means seperate vpn tunnel. One tunnel is processed by single cpu but if you spread traffic to multiple tunnels then they can be scheduled to diferent cpu's in Palo and you can get better performance.

It has nothing to do with A/P and A/A high availability.

Don't change HA setup without good planning.

If you have bad planning then A/A HA has lower performance than A/P.

Re: Limitation IPsec VPN performance

santonic — Tue, 03 May 2016 06:16:41 GMT

PA devices usualy perform really well regarding troughput. Have you tested if you can maybe get more than 50 Mbps in current setp? Will you really generate that much traffic constantly?

Another thing to consider is that IPSEC traffic has some overhead as well, so on 100 Mbps link you will never get 100 Mbps IPSEC throughput.

A/A should theoretically give you more throughput. But PA doesn't recommend using A/A to increase thrroughput.

iRe: Limitation IPsec VPN performance

Sistemas_SanLucar — Tue, 03 May 2016 15:30:54 GMT

Hi,

I just saw on Cacti graphs that we are reaching with our supplier cloud an output of 80 mbps.

Our line is 80 mbps simétric.

So I can not finish to understand because it brings more performance if it is limited to 50Mbps.

The tunnel is DES encryption.

Can you clarify this?

Thank you

Re: iRe: Limitation IPsec VPN performance

Raido_Rattameister — Tue, 03 May 2016 16:19:40 GMT

Palo Alto uses small 64k packet size when they put together their datasheet (worst case cenario).

Many competitors use large packets (best case cenario) in their datasheets.

For that reason you often get better performance with Palo than advertised.

Re: iRe: Limitation IPsec VPN performance

Raido_Rattameister — Tue, 03 May 2016 16:20:38 GMT

By the way DES is not secure to use nowadays.

Re: iRe: Limitation IPsec VPN performance

santonic — Thu, 05 May 2016 07:28:12 GMT

Declared throughput is not limit. It's guaranteed.