Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > Re: Choosing a Firewall

Reply
Thread Tools

Re: Choosing a Firewall

 
 
Walter Roberson
Guest
Posts: n/a
 
      08-10-2005
[Note: original discussion in comp.security.firewalls, but I am
shunting it over to comp.dcom.sys.cisco as it is getting PIX specific.]


In article <42fa0127$(E-Mail Removed)>,
Mike Bailey <(E-Mail Removed)> wrote:
:Mike Bailey wrote:
:> We currently have a PIX 506e and seem to be running into some
:> hardware limitations when using VPN according to Cisco. They are
:> recommending upgrading to the 515.

:We have a high speed DSL coming in.

:Originally our goal was
:to be able to run our accounting package trough a vpn. At the time we
:had an eSoft Instagate (instaHate as I call it) which had built in vpn,
:but was s-l-o-w when we tried using it. We were told by our isp that we
:could change the MTU, but found you can't do that with the
:Firewall-For-Dummies, so we purchased the PIX506e. Went through a month
f tech support with Cisco and was never able to get it working "right".
: I finally gave up on the idea of running the accounting application
:and was going to just settle on being able to map to our user folders
:for file access. But, ran into speed problems there also.

Mike, unless you happened to omit mention of a need for a DMZ or
for being able to relay traffic between two remote locations, or
needing really huge numbers of simultaneous connections, then the
515/515E would not have any noticable advantage over the 506E in
the circumstances you describe.

If your high speed DSL is 8/8 ADSL (8 megabits/s in each
direction) and you were running it flat out, then the PIX 506E
could be running low on ommph if you were using 3DES, but that
would be easily remedied by switching to AES-128.


The first thing I would check for in your situation is duplex
problems.

The second thing I would check is the MTU and
the sysopt connection tcpmss size; and right after that I
would look at the flows you are permitting to be sure that
everything is in place for Path MTU Discovery, after which it
would be time for a quick check of the endpoints to see whether
they have Path MTU Discovery turned on.

Likely the third thing I would check would be the log messages
to see if there was anything interesting.

After that, I would do some ping and ttcp tests, to try to isolate
whether the VPN itself is slow or whether the problems are
end-to-end.


I suggest that this matter be followed up in comp.dcom.sys.cisco
(newsgroups follow-ups already set.)
--
'The short version of what Walter said is "You have asked a question
which has no useful answer, please reconsider the nature of the
problem you wish to solve".' -- Tony Mantler
 
Reply With Quote
 
 
 
 
Mike Bailey
Guest
Posts: n/a
 
      08-10-2005
Walter Roberson wrote:
> [Note: original discussion in comp.security.firewalls, but I am
> shunting it over to comp.dcom.sys.cisco as it is getting PIX specific.]
>
>
> In article <42fa0127$(E-Mail Removed)>,
> Mike Bailey <(E-Mail Removed)> wrote:
> :Mike Bailey wrote:
> :> We currently have a PIX 506e and seem to be running into some
> :> hardware limitations when using VPN according to Cisco. They are
> :> recommending upgrading to the 515.
>
> :We have a high speed DSL coming in.
>
> :Originally our goal was
> :to be able to run our accounting package trough a vpn. At the time we
> :had an eSoft Instagate (instaHate as I call it) which had built in vpn,
> :but was s-l-o-w when we tried using it. We were told by our isp that we
> :could change the MTU, but found you can't do that with the
> :Firewall-For-Dummies, so we purchased the PIX506e. Went through a month
> f tech support with Cisco and was never able to get it working "right".
> : I finally gave up on the idea of running the accounting application
> :and was going to just settle on being able to map to our user folders
> :for file access. But, ran into speed problems there also.
>
> Mike, unless you happened to omit mention of a need for a DMZ or
> for being able to relay traffic between two remote locations, or
> needing really huge numbers of simultaneous connections, then the
> 515/515E would not have any noticable advantage over the 506E in
> the circumstances you describe.
>
> If your high speed DSL is 8/8 ADSL (8 megabits/s in each
> direction) and you were running it flat out, then the PIX 506E
> could be running low on ommph if you were using 3DES, but that
> would be easily remedied by switching to AES-128.
>
>
> The first thing I would check for in your situation is duplex
> problems.
>
> The second thing I would check is the MTU and
> the sysopt connection tcpmss size; and right after that I
> would look at the flows you are permitting to be sure that
> everything is in place for Path MTU Discovery, after which it
> would be time for a quick check of the endpoints to see whether
> they have Path MTU Discovery turned on.
>
> Likely the third thing I would check would be the log messages
> to see if there was anything interesting.
>
> After that, I would do some ping and ttcp tests, to try to isolate
> whether the VPN itself is slow or whether the problems are
> end-to-end.
>
>
> I suggest that this matter be followed up in comp.dcom.sys.cisco
> (newsgroups follow-ups already set.)


When you say tht the 506e could be running low on "ommph" - what does
that mean? Cisco has been working on this problem for over a month and
was even esculated to the "senior techs". I would assume that they
would have checked/tried these things. I do know that they tried
adjusting the MTU for hte VPN connection, and at one time had me change
the setting on my home PC's Cisco VPN Client. At any rate, I'm going to
copy the things you suggested and email them to the Cisco techand ask if
they were checked/tried.

Mike
 
Reply With Quote
 
 
 
 
Walter Roberson
Guest
Posts: n/a
 
      08-10-2005
In article <42fa28fd$(E-Mail Removed)>,
Mike Bailey <(E-Mail Removed)> wrote:
:Walter Roberson wrote:

:> If your high speed DSL is 8/8 ADSL (8 megabits/s in each
:> direction) and you were running it flat out, then the PIX 506E
:> could be running low on ommph if you were using 3DES, but that
:> would be easily remedied by switching to AES-128.

:When you say tht the 506e could be running low on "ommph" - what does
:that mean?


The -rating- for the 506E is 17 megabits per second 3DES. If you
are using symmetric DSL with 8 megabits in each direction and
doing heavy data transfers, then the 16 megabits resultant might
be close to the -practical- limit of the 506E. But if you are using
ADSL (asymmetric) then you probably don't have more than 8/5 or 8/2
which would be within the practical limits of the 506E. And the AES-128
rating on the 506E is 30 megabits per second, so even if your line
is symmetric 8/8 then using AES instead of 3DES would leave you plenty
of margin.

The quick way to find out if you are running into this kind of problem
would be to show cpu usage

You might also want to show memory to see if you are running low on
memory. Is your configuration fairly big? That's one of the differences
between the models, the amount of memory.


:Cisco has been working on this problem for over a month and
:was even esculated to the "senior techs". I would assume that they
:would have checked/tried these things.

Ah... Cisco is a bit "hit and miss": sometimes you get -very-
good people, and sometimes you get people that you have to educate
before they even understand what the problem is. The senior techs
are usually not too bad, but from time to time your problem lands in
the hands of the wrong specialization at Cisco and the senior tech
might true to solve the problem from the wrong viewpoint. You know the
cliche, "If all you have is a hammer, then everything looks like a nail."


I'm curious as to what Cisco thinks the 515E would do for you that the
506E would not. If you happen to have that part of the discussion
as email, I'd be interested in reading it, if you send it to my email.



[Interesting, we have some of your company's products at home.]
--
This signature intentionally left... Oh, darn!
 
Reply With Quote
 
Mike Bailey
Guest
Posts: n/a
 
      08-16-2005
Walter Roberson wrote:
> In article <42fa28fd$(E-Mail Removed)>,
> Mike Bailey <(E-Mail Removed)> wrote:
> :Walter Roberson wrote:
>
> :> If your high speed DSL is 8/8 ADSL (8 megabits/s in each
> :> direction) and you were running it flat out, then the PIX 506E
> :> could be running low on ommph if you were using 3DES, but that
> :> would be easily remedied by switching to AES-128.
>
> :When you say tht the 506e could be running low on "ommph" - what does
> :that mean?
>
>
> The -rating- for the 506E is 17 megabits per second 3DES. If you
> are using symmetric DSL with 8 megabits in each direction and
> doing heavy data transfers, then the 16 megabits resultant might
> be close to the -practical- limit of the 506E. But if you are using
> ADSL (asymmetric) then you probably don't have more than 8/5 or 8/2
> which would be within the practical limits of the 506E. And the AES-128
> rating on the 506E is 30 megabits per second, so even if your line
> is symmetric 8/8 then using AES instead of 3DES would leave you plenty
> of margin.
>
> The quick way to find out if you are running into this kind of problem
> would be to show cpu usage
>
> You might also want to show memory to see if you are running low on
> memory. Is your configuration fairly big? That's one of the differences
> between the models, the amount of memory.
>
>
> :Cisco has been working on this problem for over a month and
> :was even esculated to the "senior techs". I would assume that they
> :would have checked/tried these things.
>
> Ah... Cisco is a bit "hit and miss": sometimes you get -very-
> good people, and sometimes you get people that you have to educate
> before they even understand what the problem is. The senior techs
> are usually not too bad, but from time to time your problem lands in
> the hands of the wrong specialization at Cisco and the senior tech
> might true to solve the problem from the wrong viewpoint. You know the
> cliche, "If all you have is a hammer, then everything looks like a nail."
>
>
> I'm curious as to what Cisco thinks the 515E would do for you that the
> 506E would not. If you happen to have that part of the discussion
> as email, I'd be interested in reading it, if you send it to my email.
>
>
>
> [Interesting, we have some of your company's products at home.]


Sorry for the delay in responding. Turns out that the tech I was
working with didn't have too much of a clue as to what was going on or
especially what had been done and tested prior to him resulting in the
case being escalated to him. I complained - strongly, and then my case
was sent to another who was "the best". I've had one conversation with
him where he wanted me to download a sniffer and run it on each end of
the vpn and capture the results. Even though I asked for explicit
instructions as to what they wanted me to do - I received none except to
also download the documention. He could understand that I was asking
"what do you want me to do once it is installed." He also requested
that I run it at the same time at both ends - kinda hard to do when I
can only be in one place (home or work) at a time. LOL.

Anyway, Cisco never said what exactly they though the 515e would do for
me, only that my latency was a "hardware limitation" and that I should
upgrade to the 515e.

I did ask about configuring the vpn to use the AES instead of the 3DES
as you had suggested, but they didn't seem to excited about that and
didn't want to try - not yet anyway.

I'm a little ticked right now that I haven't heard a word from them as
of yet. I stressed that I was under a time limit here that if I do need
to return the 506e, I have to act quickly. They obviously don't care
nor understand the urgency...

One thing that did occur to me was that I was comparing the speed of
browsing a directory through remote desktop with doing the same though
VPN. Remote desktop displayed all folder contents in one second, vpn
took 15. But, I'm thinking now that this is not an fair comparison as
when using RD, I'm only transferring the screen "image" to my remote pc
and all the "work" is being done onthe remote server, where as with the
VPN I'm actually transferring data.

Mike
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Is Cisco PIX Application level firewall or Packet level firewall? Learning Cisco Cisco 3 10-15-2005 12:55 AM
Increasing data transfer on a firewall to firewall vpn connection providencebuddy@yahoo.com Cisco 1 06-14-2005 10:20 PM
Connecting to a PIX firewall using cisco VPM client though a Linksys WAG54G with eth firewall enabled Phil Cisco 1 12-11-2004 12:30 PM
RMI client behind a firewall, server behind a firewall too Robert Dodier Java 6 09-14-2004 09:23 PM
Firewall and Norton Firewall Mark Wilson Computer Support 0 11-05-2003 06:35 AM



Advertisments