We have a site to site IPSEC VPN, both endpoints are Cisco PIX 515e's. The links at both end are 100mb, however speeds over the VPN (logged using jperf) are at most 4mb. Obviously this represents a HUGE gulf in the speeds we feel we should be getting. I appreciate there will be overheads for the VPN but surely not that much. Looking in to it, all interfaces on both PIX's have their MTU set to 1500. Running some tests to check the path MTU shows as follows:
Over VPN Tunnel
SITEA -> SITEB = Path MTU 1300
SITEB -> SITEA = Path MTU 1434
Not using VPN Tunnel
SITEA -> SITEB = Path MTU 1500
SITEB -> SITEA = Path MTU 1500
So; prior to the tunnel being created, the path MTU suggests an interface MTU of 1500 would be ok. However running the same tests over the VPN return lower suggested MTU's, and different ones at that.
Should we drop the MTU's on our PIX's to either one of the 1300/1434 values suggested or is that a red herring? And; if we do drop the MTU's to these values, will we also need to change the MSS accordingly (currently default on both devices).
Any guidance would be appreciated as this isn't a link we can try 101 things on without good cause, due to the nature of the business and the link.
Many thanks in advance.
Best Answer
Although Cisco quotes some quite high "up to" figures for the 515E VPN throughput these are like most such figures doubtful at best. The study below has some comparisons based on various throughput scenarios and includes the 515E.
http://www.tolly.com/TS/2002/WatchGuard/Firebox%20V60/Test%20Summary/TollyTS202164WatchGuardFireboxJan03-print.pdf
Realistically I think for a 515E doing other work as well you are most likely getting the best you can expect.
With regards your specific question I wouldn't recommend reducing the MTU manually as this increases the overhead in terms of more packets being sent and has a negative impact on VPN performance (as seen in the linked study again). The MTU reduces itself over the VPN because once the original packet is encrypted headers must then be added to direct the encrypted packet to the other VPN endpoint.
I am afraid you will most likely need to purchase the VPN accelerator module or use an older, less secure but more performance friendly encryption algorithm.