NETWORK PRESENCE ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT
 


Search
display results
words begin  exact words  any words part 

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [FW-1] Performance issues VPN-1 <> Netscreen



> When I try to copy a large file from a client behind the Checkpoint
> to a client behind the Netscreen a get at most 2Mbps. When I copy
> the same file in the other direction I get at most 4Mbps. Since the
> firewalls will be connected through a 100Mbps WAN connection this sounds
> like a very big waste.
>
> Unfortunately I couldn't figure out where the bottleneck is.
> The CPU load on the Sun firewall goes up to 40% (that's rather
> high but shouldn't be a problem). The Netscreen reports up to 15%
> CPU load (dedicated hardware has its advantages).  The network segment
> in the middle is hardly loaded (tried different types of switches and
> hubs, doesn't make a difference).  The clients are not loaded either
> (copying something over the local network goes a lot faster).

Nico,
the nescreen firewall used ASIC based technology - the hole encrytion is done
in the ASIC ... it doesnt make sense to check the cpu of the netscreen while
copying files via vpn link.

the latest build of netscreen os is 4.0.0r10 - i suggest to use this release
because of a lot of addressed issues in 4.0.0r2.

btw

1) use iperf, ttcp or large ftp file to test performance
2) try increasing the window size on src or dst
3) try setting "set flow path-mtu" on ns or better set flow
tcp-mss 1300 to help eliminate occurrences of frag'ed IPSec packets
4) check netstat -s if there are any restransmits increasing (on dst and src)
5) nat-t will decrease your performance

bye
ad




> Any idea whether there is some setting on the Checkpoint or Netscreen
> that could limit the bandwidth a VPN can take?

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [email protected]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[email protected]
=================================================



 
----------------------------------

ABOUT SERVICES PRODUCTS TRAINING CONTACT US SEARCH SUPPORT SITE MAP LEGAL
   All contents © 2004 Network Presence, LLC. All rights reserved.