Throughput across IPsec tunnel is limited to 600 Mbps

Bi-directional throughput for traffic across IPsec tunnel is limited to 600 Mbps which results in application slowness, latency and packet loss issues for data traversing across the tunnel.
 

• Log in to the firewall CLI and execute below CLI command:

> show session info 
Number of sessions supported: 4194290
Number of active sessions: 135700
Number of active TCP sessions: 103320
Number of active UDP sessions: 25300
Number of active ICMP sessions: 5166
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 29
Session table utilization: 3%
Number of sessions created since bootup: 660498175
Packet rate: 67414/s
Throughput: 550072 kbps
New connection establish rate: 3314 cps

• Above highlighted Throughput in the CLI output is a global value for firewall and not just for IPsec tunnel

• To know the precise throughput of IPsec tunnel, either FW should be just passing the IPsec traffic, or one can rely on the client/server being used for testing.

• In this case PA-VM is giving around 550 Mbps throughput

• Platform: VM-Series Firewall
• PAN-OS / Plugin Version: 9.0.1 / -
• Deployment: Azure

• This limitation is due PAN-OS architecture where each IPsec tunnel session is processed by only one core and each core encapsulate a maximum of 300 Mbps of traffic and decapsulate another 300 Mbps of traffic combining to get a bidirectional throughput of 600 Mbps

• Create multiple tunnels across two sites wherein each tunnel can provide a bi-directional throughput of 600 Mbps and further load balance the interesting traffic across them.