Limitation IPsec VPN performance

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Limitation IPsec VPN performance

L3 Networker

Hello

 

I have 2 PA-500 in active-passive mode (Pan-os 6.1.0)

In the model specification PA-500 shows that "IPsec VPN performance" is 50 Mbps.

I want to make an IPSec VPN tunnel with a cloud provider. The speed that gives me supplier for the tunnel is 100 Mpbs guaranteed.

Does this mean that my connection with cloud provider may not exceed 50 Mbps?

Can you clarify a little more what it means "IPsec VPN performance"?

 

Thank you

2 ACCEPTED SOLUTIONS

Accepted Solutions

L7 Applicator

Basically yes if spec sheet tells you that device max IPSec performance is 50Mbit then you can get 50Mbit connection.

What you can try is to configure multiple proxy id's.

Every proxy id mapping will mean seperate tunnel between endpoints and as seperate tunnels can be load balanced to different cpu's in Palo then it might give slightly better performance.

 

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

View solution in original post

PA devices usualy perform really well regarding troughput. Have you tested if you can maybe get more than 50 Mbps in current setp?  Will you really generate that much traffic constantly?

Another thing to consider is that IPSEC traffic has some overhead as well, so on 100 Mbps link you will never get 100 Mbps IPSEC throughput. 

A/A should theoretically give you more throughput. But PA doesn't recommend using A/A to increase thrroughput. 

View solution in original post

8 REPLIES 8

L7 Applicator

Basically yes if spec sheet tells you that device max IPSec performance is 50Mbit then you can get 50Mbit connection.

What you can try is to configure multiple proxy id's.

Every proxy id mapping will mean seperate tunnel between endpoints and as seperate tunnels can be load balanced to different cpu's in Palo then it might give slightly better performance.

 

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

Thanks for your reply.

 

 

If we change Pa-500 from active-pasive to active-active ,, it could balance the tunnel and therefore could gain a better Ipsec performance ?balance the tunnel and therefore gains Ipsec performance ?

 

Thank you

Palo Alto has route based vpn.

It means it decides based on routing table if packet should be sent into tunnel.

 

If you have vpn to device that uses policy based vpn then other side decides based on policy (not routing table) if packet should be sent into tunnel.

Cisco call those policies encryption domains. Palo calls same thing Proxy id.

 

You don't need to configure Proxy id if vpn is between 2 Palos but you can still use them.

If you add multiple proxy id's then every proxy id means seperate vpn tunnel. One tunnel is processed by single cpu but if you spread traffic to multiple tunnels then they can be scheduled to diferent cpu's in Palo and you can get better performance.

 

It has nothing to do with A/P and A/A high availability.

Don't change HA setup without good planning.

If you have bad planning then A/A HA has lower performance than A/P.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

PA devices usualy perform really well regarding troughput. Have you tested if you can maybe get more than 50 Mbps in current setp?  Will you really generate that much traffic constantly?

Another thing to consider is that IPSEC traffic has some overhead as well, so on 100 Mbps link you will never get 100 Mbps IPSEC throughput. 

A/A should theoretically give you more throughput. But PA doesn't recommend using A/A to increase thrroughput. 

Hi,

 

I just saw on Cacti graphs that we are reaching with our supplier cloud an output of 80 mbps.

 

Our line is 80 mbps simétric.


So I can not finish to understand because it brings more performance if it is limited to 50Mbps.

 

The tunnel is DES encryption.

Can you clarify this?

Thank you

Palo Alto uses small 64k packet size when they put together their datasheet (worst case cenario).

Many competitors use large packets (best case cenario) in their datasheets.

For that reason you often get better performance with Palo than advertised.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

By the way DES is not secure to use nowadays.

Enterprise Architect, Security @ Cloud Carib Ltd
ACE, PCNSE, PCNSI

Declared throughput is not limit. It's guaranteed.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!