3DES fault on VPN PIX 515E 7.0(2) ?

Discussion in 'Cisco' started by I Clark, Apr 9, 2006.

  1. I Clark

    I Clark Guest

    Hi,

    I've just found a strange error with a PIX 515E we just comissioned.
    The pix is used for VPN and firewall in a sub branch of our company.
    We implemented our tried and trusted 3DES-SHA IKE/IPSEC policies, but
    this PIX experienced very poor performance from the getgo: amazing
    packet loss on IMCP packets and pitiful performance over anything
    encrypted, performance over clear circuits was perfect. I'd run full
    checks on the configs, and fully debugged all tunnel negotiations,
    everything was correct and low volume traffic was flowing.

    Initially I suspected it might be a line fault, faulty cabling or an
    MTU issue between the peers causing problems, in the end I tracked it
    down to the use of 3DES in the IPSEC policy, changing the tunnel policy
    to use the AES-256 transform set fixed the problems completely, the
    packet loss went away and performance was exactly as it should be.

    Has anyone else seen this before ? I'm considering RMA'ing the box but
    surely the AES cipher is accelerated by the same logic ?

    Any ideas greatly appreciated.
    I Clark, Apr 9, 2006
    #1
    1. Advertising

  2. I Clark

    Merv Guest

    There are a number of performance bugs which are resolved in 7.1.

    If this is a new unit or is under support, you might want to open a
    case with the Cisco TAC.
    Merv, Apr 9, 2006
    #2
    1. Advertising

  3. I Clark

    I Clark Guest

    Agreed.. thats the next step.

    The funny thing is I have a similar box although at revision 7.0(1)
    which doesn't have the problem, this one has got me very confused.
    I Clark, Apr 9, 2006
    #3
  4. I Clark

    Merv Guest

    Which may mean that a bug has been introduced in 7.0(2) ...
    Merv, Apr 9, 2006
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Mike Harrison

    Re: FS - Cisco Pix 501 - 3DES - 10 user

    Mike Harrison, Jul 21, 2003, in forum: Cisco
    Replies:
    0
    Views:
    630
    Mike Harrison
    Jul 21, 2003
  2. Walter Roberson

    Re: FS - Cisco Pix 501 - 3DES - 10 user

    Walter Roberson, Jul 21, 2003, in forum: Cisco
    Replies:
    0
    Views:
    632
    Walter Roberson
    Jul 21, 2003
  3. JohnC
    Replies:
    2
    Views:
    2,530
    JohnC
    Dec 1, 2004
  4. S.Flournoy

    Stack fault and page fault help

    S.Flournoy, Apr 17, 2004, in forum: Computer Support
    Replies:
    2
    Views:
    569
    ┬░Mike┬░
    Apr 17, 2004
  5. andrew_grafik

    PIX-515-UR-BUN how to enable VPN-DES: , VPN-3DES-AES:

    andrew_grafik, Oct 10, 2009, in forum: General Computer Support
    Replies:
    0
    Views:
    1,967
    andrew_grafik
    Oct 10, 2009
Loading...

Share This Page