[c-nsp] Pix to Pix tunnel performance w/Windows File Sharing

Cameron.Dry at didata.com.au Cameron.Dry at didata.com.au
Thu Feb 17 20:12:21 EST 2005


To rule out an mtu issue, just set the mtu to
1300 bytes on your test PC and see if that
improves the throughput.

Regs

Cameron

 


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Church, Chuck
Sent: Thursday, 17 February 2005 11:09 PM
To: Tony Mucker; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] Pix to Pix tunnel performance w/Windows File
Sharing


Sounds like an MTU issue (keep in mind the IPSec overhead).  VNC I
assume uses UDP.  File transfers in Windows would be TCP.  Try putting a
TFTP server on one machine, and pulling a file across.  (A tftp client
comes with W2K and above).  If UDP flies and TCP doesn't, it sounds like
a windowing problem caused by the MTU.  Netstat -s will show you
re-transmits on the windows devices.  Might want to watch them during
transfers.


Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch at netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tony Mucker
Sent: Thursday, February 17, 2005 9:52 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Pix to Pix tunnel performance w/Windows File
Sharing

CPU usage is very low.  When I tried another transfer, the 520 was at 2%

for the 5 sec average, and the 515 was at 4% for the same average.

The 520 currently runs another IPSEC tunnel in addition to this new 
tunnel, and we have an average of 20 VPN Client users during the day.  
That being said, MRTG has shown that the CPU usage never rises into 
double digits.

Jim McBurnett wrote:

>Tony,
>I have seen poor performance with PIXs that do not have the VPN accel 
>card... What does the show cpu usage show on both?
>
>Just a thought..
>
>-----Original Message-----
>From: Tony Mucker [mailto:Tony at tonymucker.com]
>Sent: Wednesday, February 16, 2005 4:57 PM
>To: cisco-nsp at puck.nether.net
>Subject: [c-nsp] Pix to Pix tunnel performance w/Windows File Sharing
>
>I've just finished setting up an IPSEC tunnel (using DES encryption) 
>between a PIX 520 on PIX OS 6.3(3) and a PIX 515-E on PIX OS 6.3(4).
>
>I haven't been able to do a thorough test yet, but Windows File sharing

>is fairly abyssmal.  The PIX 520 sits behind 4 T1s of available 
>bandwidth (768KB/sec) and the 515 is has 2 T1s (384KB/sec), but on my 
>quick test of trying to pull a file my gkrellm monitor was reporting 
>about 30KB/sec.  Contrast that to when I fired up the wrong version of 
>VNCViewer (I normally use TightVNC)  and started loading my desktop, 
>gkrellm reported about 360KB/sec sustained flowing through my laptop's 
>interface.
>
>MTU for both PIXes is set at the default for ethernet, 1500.  I haven't

>checked the Windows file server I was pulling from, but it too should
be
>set somewhere aroud 1500.  My next step when I get some time will be to

>get some packet dumps using ethereal to see if there's anything funny 
>going on.
>
>In the meantime, has anyone else run into similiar problems?  Or
perhaps
>problems with Windows file sharing throughput with remote users 
>connected via Cisco's VPN Client?
>
>Thanks
>Tony
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net 
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>  
>


_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


******************************************************************************
 - NOTICE FROM DIMENSION DATA AUSTRALIA
This message is confidential, and may contain proprietary or legally privileged information.  If you have received this email in error, please notify the sender and delete it immediately.

Internet communications are not secure. You should scan this message and any attachments for viruses.  Under no circumstances do we accept liability for any loss or damage which may result from your receipt of this message or any attachments.
******************************************************************************



More information about the cisco-nsp mailing list