Pix to Pix VPN Bandwidth issues

Thanks for helping in advance.  This problem just about has my job.  
We have three offices, one corporate and two branches.  The main office has a Pix 515e, both branches have Pix 501's. Remote office A connects through a 768/768 DSL connection, remote office B through a 2000/2000 DSL connection.  The main office also has a 2000/2000 DSL connection.  There are 3 employees at office A and 7 employees at office B.  All employees at remote offices are terminal service clients.  
I have ran PRTG against all dsl connections and we are recieving all the bandwidth we are supposed to.
Now for the problem... We also run VOIP, which of course is getting the left over of the bandwidth after the terminal sessions are done.  I have configured the TS clients to not use all the bells and whistles, but still not enough bandwidth left.  So ... is there any way of doing some type or version of QoS through these Pix to Pix tunnels?  
If not does anyone know of a way I can limit port 3389 to only use a certian amount of the tunnel?

Oh, we are running 3des.

Thanks again all you experts.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

lrmooreConnect With a Mentor Commented:
Here are ways to set MTU on windows platforms:

If you setup GRE tunnels between the sites, then you can do some QoS between sites, but this would have to be in front of the PIX between the PIX and the DSL modem. Then you would not need the IPSEC VPN from PIX-PIX.
There is still zero guarantee of end-to-end QoS accross the Internet, no matter what you do.
No. Unfortunately, you cannot do any type of QoS over VPN tunnels on the PIX. Period.
An alternative that you might not like, but is designed exactly for your situation is using 800 series routers at the remote offices with multi-point GRE tunnels back to another router at your location.


You might try a registry hack to set the MAX MTU on the clients (and on the Term Server) down to 576. This might help you more than you think.
Any progress? Are you still working on this? Do you need more information?
ibtaya, don't use the "feedback" link, just post additional comments here....
Author: ibtaya
Date: 10/25/2004 09:52PM CDT

Not sure how to do the reg hack, where is the string found?
I have determined that the problem is in the jitter.  The max jitter for the VoIP system is 90ms, but my jitter goes much higher sometimes, which results in poor service
I also found that if I switch to Cable I can do QOS through the router that comes with the service. How good is cable internet when it comes to jitter?  Where is jitter determined by the isp or the termination?

Of course jitter is the problem.
No matter what is in the middle, you still cannot enable and QoS mechanisms on the PIX FW for the VPN's.
ibtayaAuthor Commented:
Do you mean that if I put routers on the outside of the pixes then I cannot do QoS before traffic reaches the tunnel?  Any idea where the reg string is that controls Max MTU.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.