Re: Choosing a Firewall

Discussion in 'Cisco' started by Walter Roberson, Aug 10, 2005.

  1. [Note: original discussion in comp.security.firewalls, but I am
    shunting it over to comp.dcom.sys.cisco as it is getting PIX specific.]


    In article <42fa0127$>,
    Mike Bailey <> wrote:
    :Mike Bailey wrote:
    :> We currently have a PIX 506e and seem to be running into some
    :> hardware limitations when using VPN according to Cisco. They are
    :> recommending upgrading to the 515.

    :We have a high speed DSL coming in.

    :Originally our goal was
    :to be able to run our accounting package trough a vpn. At the time we
    :had an eSoft Instagate (instaHate as I call it) which had built in vpn,
    :but was s-l-o-w when we tried using it. We were told by our isp that we
    :could change the MTU, but found you can't do that with the
    :Firewall-For-Dummies, so we purchased the PIX506e. Went through a month
    :eek:f tech support with Cisco and was never able to get it working "right".
    : I finally gave up on the idea of running the accounting application
    :and was going to just settle on being able to map to our user folders
    :for file access. But, ran into speed problems there also.

    Mike, unless you happened to omit mention of a need for a DMZ or
    for being able to relay traffic between two remote locations, or
    needing really huge numbers of simultaneous connections, then the
    515/515E would not have any noticable advantage over the 506E in
    the circumstances you describe.

    If your high speed DSL is 8/8 ADSL (8 megabits/s in each
    direction) and you were running it flat out, then the PIX 506E
    could be running low on ommph if you were using 3DES, but that
    would be easily remedied by switching to AES-128.


    The first thing I would check for in your situation is duplex
    problems.

    The second thing I would check is the MTU and
    the sysopt connection tcpmss size; and right after that I
    would look at the flows you are permitting to be sure that
    everything is in place for Path MTU Discovery, after which it
    would be time for a quick check of the endpoints to see whether
    they have Path MTU Discovery turned on.

    Likely the third thing I would check would be the log messages
    to see if there was anything interesting.

    After that, I would do some ping and ttcp tests, to try to isolate
    whether the VPN itself is slow or whether the problems are
    end-to-end.


    I suggest that this matter be followed up in comp.dcom.sys.cisco
    (newsgroups follow-ups already set.)
    --
    'The short version of what Walter said is "You have asked a question
    which has no useful answer, please reconsider the nature of the
    problem you wish to solve".' -- Tony Mantler
    Walter Roberson, Aug 10, 2005
    #1
    1. Advertising

  2. Walter Roberson

    Mike Bailey Guest

    Walter Roberson wrote:
    > [Note: original discussion in comp.security.firewalls, but I am
    > shunting it over to comp.dcom.sys.cisco as it is getting PIX specific.]
    >
    >
    > In article <42fa0127$>,
    > Mike Bailey <> wrote:
    > :Mike Bailey wrote:
    > :> We currently have a PIX 506e and seem to be running into some
    > :> hardware limitations when using VPN according to Cisco. They are
    > :> recommending upgrading to the 515.
    >
    > :We have a high speed DSL coming in.
    >
    > :Originally our goal was
    > :to be able to run our accounting package trough a vpn. At the time we
    > :had an eSoft Instagate (instaHate as I call it) which had built in vpn,
    > :but was s-l-o-w when we tried using it. We were told by our isp that we
    > :could change the MTU, but found you can't do that with the
    > :Firewall-For-Dummies, so we purchased the PIX506e. Went through a month
    > :eek:f tech support with Cisco and was never able to get it working "right".
    > : I finally gave up on the idea of running the accounting application
    > :and was going to just settle on being able to map to our user folders
    > :for file access. But, ran into speed problems there also.
    >
    > Mike, unless you happened to omit mention of a need for a DMZ or
    > for being able to relay traffic between two remote locations, or
    > needing really huge numbers of simultaneous connections, then the
    > 515/515E would not have any noticable advantage over the 506E in
    > the circumstances you describe.
    >
    > If your high speed DSL is 8/8 ADSL (8 megabits/s in each
    > direction) and you were running it flat out, then the PIX 506E
    > could be running low on ommph if you were using 3DES, but that
    > would be easily remedied by switching to AES-128.
    >
    >
    > The first thing I would check for in your situation is duplex
    > problems.
    >
    > The second thing I would check is the MTU and
    > the sysopt connection tcpmss size; and right after that I
    > would look at the flows you are permitting to be sure that
    > everything is in place for Path MTU Discovery, after which it
    > would be time for a quick check of the endpoints to see whether
    > they have Path MTU Discovery turned on.
    >
    > Likely the third thing I would check would be the log messages
    > to see if there was anything interesting.
    >
    > After that, I would do some ping and ttcp tests, to try to isolate
    > whether the VPN itself is slow or whether the problems are
    > end-to-end.
    >
    >
    > I suggest that this matter be followed up in comp.dcom.sys.cisco
    > (newsgroups follow-ups already set.)


    When you say tht the 506e could be running low on "ommph" - what does
    that mean? Cisco has been working on this problem for over a month and
    was even esculated to the "senior techs". I would assume that they
    would have checked/tried these things. I do know that they tried
    adjusting the MTU for hte VPN connection, and at one time had me change
    the setting on my home PC's Cisco VPN Client. At any rate, I'm going to
    copy the things you suggested and email them to the Cisco techand ask if
    they were checked/tried.

    Mike
    Mike Bailey, Aug 10, 2005
    #2
    1. Advertising

  3. In article <42fa28fd$>,
    Mike Bailey <> wrote:
    :Walter Roberson wrote:

    :> If your high speed DSL is 8/8 ADSL (8 megabits/s in each
    :> direction) and you were running it flat out, then the PIX 506E
    :> could be running low on ommph if you were using 3DES, but that
    :> would be easily remedied by switching to AES-128.

    :When you say tht the 506e could be running low on "ommph" - what does
    :that mean?


    The -rating- for the 506E is 17 megabits per second 3DES. If you
    are using symmetric DSL with 8 megabits in each direction and
    doing heavy data transfers, then the 16 megabits resultant might
    be close to the -practical- limit of the 506E. But if you are using
    ADSL (asymmetric) then you probably don't have more than 8/5 or 8/2
    which would be within the practical limits of the 506E. And the AES-128
    rating on the 506E is 30 megabits per second, so even if your line
    is symmetric 8/8 then using AES instead of 3DES would leave you plenty
    of margin.

    The quick way to find out if you are running into this kind of problem
    would be to show cpu usage

    You might also want to show memory to see if you are running low on
    memory. Is your configuration fairly big? That's one of the differences
    between the models, the amount of memory.


    :Cisco has been working on this problem for over a month and
    :was even esculated to the "senior techs". I would assume that they
    :would have checked/tried these things.

    Ah... Cisco is a bit "hit and miss": sometimes you get -very-
    good people, and sometimes you get people that you have to educate
    before they even understand what the problem is. The senior techs
    are usually not too bad, but from time to time your problem lands in
    the hands of the wrong specialization at Cisco and the senior tech
    might true to solve the problem from the wrong viewpoint. You know the
    cliche, "If all you have is a hammer, then everything looks like a nail."


    I'm curious as to what Cisco thinks the 515E would do for you that the
    506E would not. If you happen to have that part of the discussion
    as email, I'd be interested in reading it, if you send it to my email.



    [Interesting, we have some of your company's products at home.]
    --
    This signature intentionally left... Oh, darn!
    Walter Roberson, Aug 10, 2005
    #3
  4. Walter Roberson

    Mike Bailey Guest

    Walter Roberson wrote:
    > In article <42fa28fd$>,
    > Mike Bailey <> wrote:
    > :Walter Roberson wrote:
    >
    > :> If your high speed DSL is 8/8 ADSL (8 megabits/s in each
    > :> direction) and you were running it flat out, then the PIX 506E
    > :> could be running low on ommph if you were using 3DES, but that
    > :> would be easily remedied by switching to AES-128.
    >
    > :When you say tht the 506e could be running low on "ommph" - what does
    > :that mean?
    >
    >
    > The -rating- for the 506E is 17 megabits per second 3DES. If you
    > are using symmetric DSL with 8 megabits in each direction and
    > doing heavy data transfers, then the 16 megabits resultant might
    > be close to the -practical- limit of the 506E. But if you are using
    > ADSL (asymmetric) then you probably don't have more than 8/5 or 8/2
    > which would be within the practical limits of the 506E. And the AES-128
    > rating on the 506E is 30 megabits per second, so even if your line
    > is symmetric 8/8 then using AES instead of 3DES would leave you plenty
    > of margin.
    >
    > The quick way to find out if you are running into this kind of problem
    > would be to show cpu usage
    >
    > You might also want to show memory to see if you are running low on
    > memory. Is your configuration fairly big? That's one of the differences
    > between the models, the amount of memory.
    >
    >
    > :Cisco has been working on this problem for over a month and
    > :was even esculated to the "senior techs". I would assume that they
    > :would have checked/tried these things.
    >
    > Ah... Cisco is a bit "hit and miss": sometimes you get -very-
    > good people, and sometimes you get people that you have to educate
    > before they even understand what the problem is. The senior techs
    > are usually not too bad, but from time to time your problem lands in
    > the hands of the wrong specialization at Cisco and the senior tech
    > might true to solve the problem from the wrong viewpoint. You know the
    > cliche, "If all you have is a hammer, then everything looks like a nail."
    >
    >
    > I'm curious as to what Cisco thinks the 515E would do for you that the
    > 506E would not. If you happen to have that part of the discussion
    > as email, I'd be interested in reading it, if you send it to my email.
    >
    >
    >
    > [Interesting, we have some of your company's products at home.]


    Sorry for the delay in responding. Turns out that the tech I was
    working with didn't have too much of a clue as to what was going on or
    especially what had been done and tested prior to him resulting in the
    case being escalated to him. I complained - strongly, and then my case
    was sent to another who was "the best". I've had one conversation with
    him where he wanted me to download a sniffer and run it on each end of
    the vpn and capture the results. Even though I asked for explicit
    instructions as to what they wanted me to do - I received none except to
    also download the documention. He could understand that I was asking
    "what do you want me to do once it is installed." He also requested
    that I run it at the same time at both ends - kinda hard to do when I
    can only be in one place (home or work) at a time. LOL.

    Anyway, Cisco never said what exactly they though the 515e would do for
    me, only that my latency was a "hardware limitation" and that I should
    upgrade to the 515e.

    I did ask about configuring the vpn to use the AES instead of the 3DES
    as you had suggested, but they didn't seem to excited about that and
    didn't want to try - not yet anyway.

    I'm a little ticked right now that I haven't heard a word from them as
    of yet. I stressed that I was under a time limit here that if I do need
    to return the 506e, I have to act quickly. They obviously don't care
    nor understand the urgency...

    One thing that did occur to me was that I was comparing the speed of
    browsing a directory through remote desktop with doing the same though
    VPN. Remote desktop displayed all folder contents in one second, vpn
    took 15. But, I'm thinking now that this is not an fair comparison as
    when using RD, I'm only transferring the screen "image" to my remote pc
    and all the "work" is being done onthe remote server, where as with the
    VPN I'm actually transferring data.

    Mike
    Mike Bailey, Aug 16, 2005
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil
    Replies:
    1
    Views:
    2,091
    Walter Roberson
    Dec 11, 2004
  2. Replies:
    1
    Views:
    540
    Walter Roberson
    Jun 14, 2005
  3. Learning Cisco
    Replies:
    3
    Views:
    2,098
    Walter Roberson
    Oct 15, 2005
  4. Mark Wilson

    Firewall and Norton Firewall

    Mark Wilson, Nov 5, 2003, in forum: Computer Support
    Replies:
    0
    Views:
    500
    Mark Wilson
    Nov 5, 2003
  5. Anonymous

    Windows XP Firewall/Internet Connection Firewall

    Anonymous, Dec 1, 2003, in forum: Computer Support
    Replies:
    2
    Views:
    916
    Anonymous
    Dec 1, 2003
Loading...

Share This Page