[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: [FW-1] Performance issues VPN-1 <> Netscreen
> When I try to copy a large file from a client behind the Checkpoint > to a client behind the Netscreen a get at most 2Mbps. When I copy > the same file in the other direction I get at most 4Mbps. Since the > firewalls will be connected through a 100Mbps WAN connection this sounds > like a very big waste. > > Unfortunately I couldn't figure out where the bottleneck is. > The CPU load on the Sun firewall goes up to 40% (that's rather > high but shouldn't be a problem). The Netscreen reports up to 15% > CPU load (dedicated hardware has its advantages). The network segment > in the middle is hardly loaded (tried different types of switches and > hubs, doesn't make a difference). The clients are not loaded either > (copying something over the local network goes a lot faster). Nico, the nescreen firewall used ASIC based technology - the hole encrytion is done in the ASIC ... it doesnt make sense to check the cpu of the netscreen while copying files via vpn link. the latest build of netscreen os is 4.0.0r10 - i suggest to use this release because of a lot of addressed issues in 4.0.0r2. btw 1) use iperf, ttcp or large ftp file to test performance 2) try increasing the window size on src or dst 3) try setting "set flow path-mtu" on ns or better set flow tcp-mss 1300 to help eliminate occurrences of frag'ed IPSec packets 4) check netstat -s if there are any restransmits increasing (on dst and src) 5) nat-t will decrease your performance bye ad > Any idea whether there is some setting on the Checkpoint or Netscreen > that could limit the bandwidth a VPN can take? ================================================= To set vacation, Out-Of-Office, or away messages, send an email to [email protected] in the BODY of the email add: set fw-1-mailinglist nomail ================================================= To unsubscribe from this mailing list, please see the instructions at http://www.checkpoint.com/services/mailing.html ================================================= If you have any questions on how to change your subscription options, email [email protected] =================================================
|