Determine IPSec tunnel performance?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Determine IPSec tunnel performance?

L4 Transporter

Hi folks,

 

We have several IPSec tunnels, but only one is complaining of poor performance using a specific application that the tunnel is meant for.  Management asking for firewall stats to prove if it is related to IPSec tunnel/firewall performance issue or not.

 

I am following this article and see the first twenty ports, but do not know which ones correspond to my tunnel interfaces.

https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Check-Throughput-of-Interfaces/ta-p/...

 

Anyone have tips for measuring interface throughput and comparing looking for performance issues?

1 accepted solution

Accepted Solutions

@OMatlock,

WIth just these numbers I wouldn't really be able to say anything for certain. One thing that generally happens with tunnels however is that the other end has a less than stellar VPN connection. Do you know what the other end's device is, or what the other connection looks like? 

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

@OMatlock,

For something like this I would really recommend simply downloading Pan(w)achrome for a nice visiual layout.

 

If you run 'show interface tunnel.10' and replace your tunnel with whatever one you are actually looking at you'll see the stats that you can compare to what you are seeing on the port stats to determine which port is actually your tunnel interface. The interface stats that the first command pulls may be enough for what you are looking for as well. 

Thank you BPry!

That is helpful.  It does display bitrate for my tunnel interfaces.  I notice the one complaining about, tunnel.6 performance does have a lower bitrate than the other two.  It seems consistent (everytime I look at it or refresh).

 

I wonder if I could capture these stats for graphing?

Any comment about what could be going on with the lower bitrate for this connection tunnel.6 specifically?

tunnels.jpg

 

Hello,

We use the netflow to determine capacity over time. Wonder if something would work in this case?

 

Cheers!

@OMatlock,

WIth just these numbers I wouldn't really be able to say anything for certain. One thing that generally happens with tunnels however is that the other end has a less than stellar VPN connection. Do you know what the other end's device is, or what the other connection looks like? 

Thank you for the feedback folks.  Yea, I tend to believe it's on the other end.  I called PA support and looked over my connection, drops, TCP handshake, "health check" and everything looks good on our end.  I just wanted to get a headstart on troubleshooting our end, before the blame comes my way first...

 

Thanks again.

  • 1 accepted solution
  • 6023 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!