Pix to Pix VPN Bandwidth issues

Posted on 2004-10-19
Last Modified: 2013-11-16
Thanks for helping in advance.  This problem just about has my job.  
We have three offices, one corporate and two branches.  The main office has a Pix 515e, both branches have Pix 501's. Remote office A connects through a 768/768 DSL connection, remote office B through a 2000/2000 DSL connection.  The main office also has a 2000/2000 DSL connection.  There are 3 employees at office A and 7 employees at office B.  All employees at remote offices are terminal service clients.  
I have ran PRTG against all dsl connections and we are recieving all the bandwidth we are supposed to.
Now for the problem... We also run VOIP, which of course is getting the left over of the bandwidth after the terminal sessions are done.  I have configured the TS clients to not use all the bells and whistles, but still not enough bandwidth left.  So ... is there any way of doing some type or version of QoS through these Pix to Pix tunnels?  
If not does anyone know of a way I can limit port 3389 to only use a certian amount of the tunnel?

Oh, we are running 3des.

Thanks again all you experts.
Question by:ibtaya
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
LVL 79

Expert Comment

ID: 12360222
No. Unfortunately, you cannot do any type of QoS over VPN tunnels on the PIX. Period.
An alternative that you might not like, but is designed exactly for your situation is using 800 series routers at the remote offices with multi-point GRE tunnels back to another router at your location.

You might try a registry hack to set the MAX MTU on the clients (and on the Term Server) down to 576. This might help you more than you think.
LVL 79

Expert Comment

ID: 12403475
Any progress? Are you still working on this? Do you need more information?
LVL 79

Expert Comment

ID: 12424459
ibtaya, don't use the "feedback" link, just post additional comments here....
Author: ibtaya
Date: 10/25/2004 09:52PM CDT

Not sure how to do the reg hack, where is the string found?
I have determined that the problem is in the jitter.  The max jitter for the VoIP system is 90ms, but my jitter goes much higher sometimes, which results in poor service
I also found that if I switch to Cable I can do QOS through the router that comes with the service. How good is cable internet when it comes to jitter?  Where is jitter determined by the isp or the termination?

Of course jitter is the problem.
No matter what is in the middle, you still cannot enable and QoS mechanisms on the PIX FW for the VPN's.

Author Comment

ID: 12424521
Do you mean that if I put routers on the outside of the pixes then I cannot do QoS before traffic reaches the tunnel?  Any idea where the reg string is that controls Max MTU.
LVL 79

Accepted Solution

lrmoore earned 500 total points
ID: 12424578
Here are ways to set MTU on windows platforms:

If you setup GRE tunnels between the sites, then you can do some QoS between sites, but this would have to be in front of the PIX between the PIX and the DSL modem. Then you would not need the IPSEC VPN from PIX-PIX.
There is still zero guarantee of end-to-end QoS accross the Internet, no matter what you do.

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question