Pix 501 and Concurrent VPN Connections

Discussion in 'Cisco' started by jaylucasaustin.rr.com, Jan 27, 2006.

  1. Hello,

    I find myself in the position of taking over a small office network that
    uses a Pix 501 primarily for the main Internet firewall and VPN. Currently,
    this device needs to support 4 external VPN connections at any given time
    and up to six internal (office systems). The 501 has a ten user license and
    currently has a problem with VPN connections that cannot always connect. I
    haven't had a chance to dig into log files yet as I fully haven't taken
    over, but was told (by a self proclaimed expert) that the 501 has difficulty
    handling more than 2 external VPN connections simultaneously due to it's
    slow processing power. So two question--is this "expert" correct and should
    I look into a slightly beefier Pix, or is this likely a licensing issue? I
    know that the four external devices obviously use a license, but am not
    clear on if internal office devices use one as well. The specs on the 501
    show that it should easily be able to handle this scenario, that why I need
    feedback from real users.

    Any help or advice on where to look for further insight would be greatly


    jaylucasaustin.rr.com, Jan 27, 2006
    1. Advertisements

  2. jaylucasaustin.rr.com

    Peter Simons Guest

    x-no-archive: yes


    We have a PIX 501 and it currently Handles 7 VPN tunnels and about
    twenty users Behind (The 501 is unlimited license).

    Overall nor problems.

    Though VPN's do hit the processor quite hard and our VPN's seam quite
    low through put. IF your VPN traffic no matter how many tunnels is over
    1 mg/s I would upgrade to a diffent pix.

    The internal devices do use a license.

    Peter Simons, Jan 27, 2006
    1. Advertisements

  3. Thanks Peter,

    Just to clarify, do you know if the 501 handle both hardware and software
    VPN connections the same? Some of the connections that I need to support
    are hardware and some use the Cisco software client. Also, are you saying
    that the aggregate VPN throughput is only 1 megabit per second, or is this
    per VPN link?


    jaylucasaustin.rr.com, Jan 29, 2006
  4. jaylucasaustin.rr.com

    Peter Simons Guest

    x-no-archive: yes

    The 501 has no Hardware acceleration. It treats PIX to PIX and Cisco
    client to PIX connections the same.

    With the setup I have I would say it is total through put. But also
    remember that processor utilsation will vary from installation as it
    depends on how many rules you have and what other functions you use.

    if you have a windows environment down load a simple snmp monitor


    and follow the advice some one supplied to me earlier


    Peter Simons, Jan 29, 2006
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.