I am having an FTP throughput issue through a PIX-PIX VPN across a 100MB WAN connection.
I am colocated in two datacenters which are connected across the SONET via 100MB trunk.
I have all interfaces hard-set at 100FD.
The Servers are set at 100FD and everything is champs.
I receive approximately 4.5-7 MB/Sec from the internet connection (traverses pix inside to outside, 10.x.x.x translated to public IP)
However, when I connect to my remote FTP server in the other datacenter and transfer between sites i only get 800kbps to 1.2Mbps.
Testing from outside the pix on the incoming layer2 device yields extremely high speed across same infrastructure with the exception of,
1.) not going through my pix, since this is outside the pix.
2.) not encrypted so due to no VPN.
Basically we connected two laptops to the same layer2 device that my PIX internet connection is on, one at IDC1 and one in IDC2. These two guys transfer at 50MBps ruling out the IDC's network as an issue.
Could anything in the Tunnel config be screwing with my ftp transfer speeds.
I recall there is some configuration that can cause retransmits etc. on ftp sessions but can't exactly remember what the gotcha was.
Any ideas are helpful.
The settings are as follows (i am not going to tie up page space with all the pix config, rest assured it has all been gone over before i came to the board with it.)
Access-list nonat permit ip 10.30.30.0 10.20.30.0
Access-list "VPN-ACL" permit ip 10.30.30.0 10.20.30.0
nat (inside) 0 access-list nonat
Encryption 3DES
Transform-set "VPN" ESP-3DES ESP-SHA-HMAC
crypto map "VPN" 10 ipsec-isakmp
crypto map "VPN" 10 transform-set "VPN"
crypto map "VPN" 10 set peer x.x.x.x
crypto map "VPN" 10 match address "VPN-ACL"
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
So there you have a tidbit just so you can see the cipher strength and what-not.
TIA.
--BD
SDI
Dallas,TX
I am colocated in two datacenters which are connected across the SONET via 100MB trunk.
I have all interfaces hard-set at 100FD.
The Servers are set at 100FD and everything is champs.
I receive approximately 4.5-7 MB/Sec from the internet connection (traverses pix inside to outside, 10.x.x.x translated to public IP)
However, when I connect to my remote FTP server in the other datacenter and transfer between sites i only get 800kbps to 1.2Mbps.
Testing from outside the pix on the incoming layer2 device yields extremely high speed across same infrastructure with the exception of,
1.) not going through my pix, since this is outside the pix.
2.) not encrypted so due to no VPN.
Basically we connected two laptops to the same layer2 device that my PIX internet connection is on, one at IDC1 and one in IDC2. These two guys transfer at 50MBps ruling out the IDC's network as an issue.
Could anything in the Tunnel config be screwing with my ftp transfer speeds.
I recall there is some configuration that can cause retransmits etc. on ftp sessions but can't exactly remember what the gotcha was.
Any ideas are helpful.
The settings are as follows (i am not going to tie up page space with all the pix config, rest assured it has all been gone over before i came to the board with it.)
Access-list nonat permit ip 10.30.30.0 10.20.30.0
Access-list "VPN-ACL" permit ip 10.30.30.0 10.20.30.0
nat (inside) 0 access-list nonat
Encryption 3DES
Transform-set "VPN" ESP-3DES ESP-SHA-HMAC
crypto map "VPN" 10 ipsec-isakmp
crypto map "VPN" 10 transform-set "VPN"
crypto map "VPN" 10 set peer x.x.x.x
crypto map "VPN" 10 match address "VPN-ACL"
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 86400
So there you have a tidbit just so you can see the cipher strength and what-not.
TIA.
--BD
SDI
Dallas,TX