Solved

Pix to Pix VPN Bandwidth issues

Posted on 2004-10-19
5
728 Views
Last Modified: 2013-11-16
Thanks for helping in advance.  This problem just about has my job.  
We have three offices, one corporate and two branches.  The main office has a Pix 515e, both branches have Pix 501's. Remote office A connects through a 768/768 DSL connection, remote office B through a 2000/2000 DSL connection.  The main office also has a 2000/2000 DSL connection.  There are 3 employees at office A and 7 employees at office B.  All employees at remote offices are terminal service clients.  
I have ran PRTG against all dsl connections and we are recieving all the bandwidth we are supposed to.
Now for the problem... We also run VOIP, which of course is getting the left over of the bandwidth after the terminal sessions are done.  I have configured the TS clients to not use all the bells and whistles, but still not enough bandwidth left.  So ... is there any way of doing some type or version of QoS through these Pix to Pix tunnels?  
If not does anyone know of a way I can limit port 3389 to only use a certian amount of the tunnel?

Oh, we are running 3des.

Thanks again all you experts.
0
Comment
Question by:ibtaya
  • 4
5 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 12360222
No. Unfortunately, you cannot do any type of QoS over VPN tunnels on the PIX. Period.
An alternative that you might not like, but is designed exactly for your situation is using 800 series routers at the remote offices with multi-point GRE tunnels back to another router at your location.

http://www.cisco.com/en/US/tech/tk583/tk372/technologies_configuration_example09186a00801e6206.shtml

You might try a registry hack to set the MAX MTU on the clients (and on the Term Server) down to 576. This might help you more than you think.
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12403475
Any progress? Are you still working on this? Do you need more information?
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 12424459
ibtaya, don't use the "feedback" link, just post additional comments here....
--------------------------------------------------------------------
Author: ibtaya
Date: 10/25/2004 09:52PM CDT

Not sure how to do the reg hack, where is the string found?
I have determined that the problem is in the jitter.  The max jitter for the VoIP system is 90ms, but my jitter goes much higher sometimes, which results in poor service
I also found that if I switch to Cable I can do QOS through the router that comes with the service. How good is cable internet when it comes to jitter?  Where is jitter determined by the isp or the termination?
-------------------------------------------------------------------

Of course jitter is the problem.
No matter what is in the middle, you still cannot enable and QoS mechanisms on the PIX FW for the VPN's.
0
 
LVL 2

Author Comment

by:ibtaya
ID: 12424521
Do you mean that if I put routers on the outside of the pixes then I cannot do QoS before traffic reaches the tunnel?  Any idea where the reg string is that controls Max MTU.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 500 total points
ID: 12424578
Here are ways to set MTU on windows platforms:
http://support.microsoft.com/kb/q120642/

If you setup GRE tunnels between the sites, then you can do some QoS between sites, but this would have to be in front of the PIX between the PIX and the DSL modem. Then you would not need the IPSEC VPN from PIX-PIX.
There is still zero guarantee of end-to-end QoS accross the Internet, no matter what you do.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows Server Firewall Configuration 2 31
startup config modification 2 46
Content Filtering by Search Term with a Smoothwall Firewall 1 93
WAN Site Edge Routers 15 50
To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
From Cisco ASA version 8.3, the Network Address Translation (NAT) configuration has been completely redesigned and it may be helpful to have the syntax configuration for both at a glance. You may as well want to read official Cisco published AS…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

27 Experts available now in Live!

Get 1:1 Help Now