PA-VM Firewall in AWS achieves throughput of 2Gbps Over IPsec Tunnel
11924
Created On 03/18/20 16:26 PM - Last Modified 05/23/24 09:46 AM
Symptom
- The Bi-directional throughput of the traffic across the IPsec tunnel is 2Gbps across the tunnel.
Log in to the firewall CLI and execute the CLI command below:
> show session info Number of sessions supported: 4194290 Number of active sessions: 135 Number of active TCP sessions: 103 Number of active UDP sessions: 20 Number of active ICMP sessions: 5 Number of active BCAST sessions: 0 Number of active MCAST sessions: 0 Number of active predict sessions: 2 Session table utilization: 3% Number of sessions created since bootup: 34 Packet rate: 170388/s Throughput: 1823660 kbps <<<<<<<<<<<<<<<<<<<<<<<<<<<<< New connection establish rate: 3 cps
- The CLI highlighted above will show the overall Firewall throughput, not just for the IPsec tunnel.
- To determine the specific IPsec tunnel throughput, either the FW should only handle IPsec traffic or a client/server can be used for testing.
- In this case, we have the throughput on the PA-VM FW of about 2Gbps.
Environment
- Platform: PA-VM
- PAN-OS: 10.2.x versions and above
- Deployment: AWS
Cause
- This limitation is due to the PAN-OS architecture, where each IPsec tunnel session is processed by only one core. Each core encapsulates and decapsulates the traffic, resulting in a bidirectional throughput of approximately 2Gbps.
Resolution
- To test the data transfer capacity of the IPsec tunnel, you can initiate data flow through the tunnel using both a client and a server. Currently, we are using AWS with 4 CPUs, capable of supporting a throughput of 2 Gigabits.
Additional Information
https://docs.paloaltonetworks.com/vm-series/11-1/vm-series-performance-capacity/vm-series-performance-capacity/vm-series-on-aws-performance-and-capacity