IPSEC SITE TO SITE VPN TUNNELS - Through Put

I have ASA 5510 and Palo ALTO 3000 model firewalls.
ASA shows VPN throughput of 170 Mbps while Palo Alto shows 500 mbps in the data sheet.

I need to understand that by IPSEC VPN through put , do they mean its the bandwidth we will get once we establish Site to site VPN tunnels across two firewalls over internet ?

Or does it mean this is the bandwidth each VPN Client will have when they will connect to Firewall ?

My Main scenario is that I have two office with two firewalls conencted through Site to Site tunnels. Both sites have 1 Gigbps Internet connection. IF the VPN through put is per above details, does it mean that no matter how powerful the internet connection is , I will still be get max 170 mbps on ASA 5510 and 500 mbps on Palo Alto ?
Mac80Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
The router throughput is the fastest the router can transmit data. It is NOT the speed you get.

VPN speed is determined by the ISP at each end and will be the slowest of the two uplink speeds. Unless you have really fast, 500Kbit/sec is fairly average speed for VPN.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
The VPN throughput is the maximum speed you can get under optimal conditions. AES 256 might be slower or faster than 3DES, for example.
Of course the slowest part of the complete path sets the overall speed.
0
ArchiTech89IT Security EngineerCommented:
I'll just add that this 'maximum speed' is based on the computing power of the firewall/device. So as you get higher and higher in Cisco's line, for example, their processing power increases and increases.

Take note that there's a difference between "throughput" by itself, and "encrypted throughput." And again, that just demonstrates how the concept relies on processing power.

As an example, the 5545-X has a maximum encrypted throughput of 400Mbps, whereas the 5585-X is rated at 1Gbps encrypted throughput.

Hooking lower-rated to higher-rated means the lower-rated one is now a bottleneck in theoretical terms, though in real terms it would depend on how much traffic is attempted to be pushed over the tunnel.
0
What were the top attacks of Q1 2018?

The Threat Lab team analyzes data from WatchGuard’s Firebox Feed, internal and partner threat intelligence, and a research honeynet, to provide insightful analysis about the top threats on the Internet. Check out our Q1 2018 report for smart, practical security advice today!

JohnBusiness Consultant (Owner)Commented:
VPN uses external internet connections and modems (usually ISP supplied). These are MUCH slower than the throughput limits of the router.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
John,
"Both sites have 1 Gigbps Internet connection." - sounds like there is some room here ;-).
0
JohnBusiness Consultant (Owner)Commented:
There could be, but normally I see slow performance on uplinks anywhere I go.

@Mac80 - Please let us know about your uplink speed.
0
Benjamin Van DitmarsCommented:
I have setup alot of site 2 site vpn's on cisco ASA unit's a fair speed you can get out of the box is half the max troughput for asa 5510 is arround 65 to 70 mbit
0
Mac80Author Commented:
This is 1 Gbps internet with same uplink/downlink speed. Synchronous Bandwidth basically.

My main concern is that even I upgrade to 10 Gig ISP speed on both site, the IPSEC VPN Tunnel will be limited to 170mbps on ASA5510 ?  There is no way we can increase it to 500 mbps on the same ASA.
0
JohnBusiness Consultant (Owner)Commented:
What is your synchronous speed that is, do you really get 1 GBit/sec?)

I have rated throughput on my Cisco RV325 router of 900 MBits/sec but my Internet speed is nowhere near this. I got full VPN speed governed by my Internet, NOT the router. That is just theoretical maximum speed.
0
QlemoBatchelor, Developer and EE Topic AdvisorCommented:
Whatsoever and again, the slowest part in the chain determines the speed. If net usable bandwidth of your internet connection is 500 mbps, the ASA is not able to cope with that for VPN tunnels.
0
ArchiTech89IT Security EngineerCommented:
Your concern is valid. If you upgrade the ISP link to 10Gbps, it will not have an ounce of effect on the throughput.

But then the question presents itself: Do you need it?

You'll have to watch (monitor) at times of critical load, and maybe even set up notifications for when a certain percentage of resources are reached, etc. But if you never hit really high utilization or low available memory, you should theoretically have the entire 170Mbps (if that's the encrypted rating) across that tunnel.

On the other hand, you could also probably shove other traffic across that link without using the tunnel, for example standard Internet traffic, in which case you might not altogether lose out.

Look at it in terms of whether you can meet (and exceed) your needs, not so much whether you meet and/or saturate your available bandwidth, right? :-D
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Internet Protocol Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.