Throughput across IPsec tunnel is limited to 600 Mbps
Symptom
Bi-directional throughput for traffic across IPsec tunnel is limited to 600 Mbps which results in application slowness, latency and packet loss issues for data traversing across the tunnel.
-
Log in to the firewall CLI and execute below CLI command:
> show session info
Number of sessions supported: 4194290
Number of active sessions: 135700
Number of active TCP sessions: 103320
Number of active UDP sessions: 25300
Number of active ICMP sessions: 5166
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 29
Session table utilization: 3%
Number of sessions created since bootup: 660498175
Packet rate: 67414/s
Throughput: 550072 kbps
New connection establish rate: 3314 cps
-
Above highlighted Throughput in the CLI output is a global value for firewall and not just for IPsec tunnel
-
To know the precise throughput of IPsec tunnel, either FW should be just passing the IPsec traffic, or one can rely on the client/server being used for testing.
-
In this case PA-VM is giving around 550 Mbps throughput
Environment
- Platform: VM-Series Firewall
- PAN-OS / Plugin Version: 9.0.1 / -
- Deployment: Azure
Cause
-
This limitation is due PAN-OS architecture where each IPsec tunnel session is processed by only one core and each core encapsulate a maximum of 300 Mbps of traffic and decapsulate another 300 Mbps of traffic combining to get a bidirectional throughput of 600 Mbps
Resolution
- Create multiple tunnels across two sites wherein each tunnel can provide a bi-directional throughput of 600 Mbps and further load balance the interesting traffic across them.