Low throughput seen for traffic going through an IPSec tunnel on PA-400, PA-1400, PA-3400, and PA-5400 firewalls

Low throughput seen for traffic going through an IPSec tunnel on PA-400, PA-1400, PA-3400, and PA-5400 firewalls

714
Created On 03/20/25 19:57 PM - Last Modified 11/04/25 18:19 PM


Symptom


  • The throughput for single-session flows going through an IPSec tunnel will not go above a specific maximum value.
  • For example, on PA-5400s, the throughput value is capped between 600-640 Mbps for SCP file transfers or other file downloads.
  • The throughput is greatly increased when bypassing the IPSec tunnel.

Environment


PA-400
PA-1400
PA-3400
PA-5400

Cause


For x86 platforms, the IPSec encryption/decryption for a single session over a single IPSec tunnel is carried out in series. This results in the throughput to be limited to a single CPU core's capacity.

Resolution


This is an architecture limitation on the x86 platforms.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000PRNyCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail