- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-02-2016 03:55 AM
Hello
I have 2 PA-500 in active-passive mode (Pan-os 6.1.0)
In the model specification PA-500 shows that "IPsec VPN performance" is 50 Mbps.
I want to make an IPSec VPN tunnel with a cloud provider. The speed that gives me supplier for the tunnel is 100 Mpbs guaranteed.
Does this mean that my connection with cloud provider may not exceed 50 Mbps?
Can you clarify a little more what it means "IPsec VPN performance"?
Thank you
05-02-2016 04:27 AM
Basically yes if spec sheet tells you that device max IPSec performance is 50Mbit then you can get 50Mbit connection.
What you can try is to configure multiple proxy id's.
Every proxy id mapping will mean seperate tunnel between endpoints and as seperate tunnels can be load balanced to different cpu's in Palo then it might give slightly better performance.
05-02-2016 11:16 PM
PA devices usualy perform really well regarding troughput. Have you tested if you can maybe get more than 50 Mbps in current setp? Will you really generate that much traffic constantly?
Another thing to consider is that IPSEC traffic has some overhead as well, so on 100 Mbps link you will never get 100 Mbps IPSEC throughput.
A/A should theoretically give you more throughput. But PA doesn't recommend using A/A to increase thrroughput.
05-02-2016 04:27 AM
Basically yes if spec sheet tells you that device max IPSec performance is 50Mbit then you can get 50Mbit connection.
What you can try is to configure multiple proxy id's.
Every proxy id mapping will mean seperate tunnel between endpoints and as seperate tunnels can be load balanced to different cpu's in Palo then it might give slightly better performance.
05-02-2016 12:22 PM - edited 05-02-2016 12:23 PM
Thanks for your reply.
If we change Pa-500 from active-pasive to active-active ,, it could balance the tunnel and therefore could gain a better Ipsec performance ?balance the tunnel and therefore gains Ipsec performance ?
Thank you
05-02-2016 03:23 PM
Palo Alto has route based vpn.
It means it decides based on routing table if packet should be sent into tunnel.
If you have vpn to device that uses policy based vpn then other side decides based on policy (not routing table) if packet should be sent into tunnel.
Cisco call those policies encryption domains. Palo calls same thing Proxy id.
You don't need to configure Proxy id if vpn is between 2 Palos but you can still use them.
If you add multiple proxy id's then every proxy id means seperate vpn tunnel. One tunnel is processed by single cpu but if you spread traffic to multiple tunnels then they can be scheduled to diferent cpu's in Palo and you can get better performance.
It has nothing to do with A/P and A/A high availability.
Don't change HA setup without good planning.
If you have bad planning then A/A HA has lower performance than A/P.
05-02-2016 11:16 PM
PA devices usualy perform really well regarding troughput. Have you tested if you can maybe get more than 50 Mbps in current setp? Will you really generate that much traffic constantly?
Another thing to consider is that IPSEC traffic has some overhead as well, so on 100 Mbps link you will never get 100 Mbps IPSEC throughput.
A/A should theoretically give you more throughput. But PA doesn't recommend using A/A to increase thrroughput.
05-03-2016 08:30 AM
Hi,
I just saw on Cacti graphs that we are reaching with our supplier cloud an output of 80 mbps.
Our line is 80 mbps simétric.
So I can not finish to understand because it brings more performance if it is limited to 50Mbps.
The tunnel is DES encryption.
Can you clarify this?
Thank you
05-03-2016 09:18 AM - edited 05-03-2016 09:19 AM
Palo Alto uses small 64k packet size when they put together their datasheet (worst case cenario).
Many competitors use large packets (best case cenario) in their datasheets.
For that reason you often get better performance with Palo than advertised.
05-03-2016 09:20 AM
By the way DES is not secure to use nowadays.
05-05-2016 12:28 AM
Declared throughput is not limit. It's guaranteed.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!