PA-VM deployed in AWS with throughput across IPsec tunnel limited to 600 Mbps

9689

Created On 03/18/20 16:26 PM - Last Modified 04/06/20 17:29 PM

AWS

IPSec

Site-to-Site VPN

Virtual Systems

VPNs

8.1

VM-Series

Symptom

Bi-directional throughput for traffic across IPsec tunnel is limited to 600 Mbps which results in application slowness, latency and packet loss issues for data traversing across the tunnel.

> show session info
Number of sessions supported: 4194290
Number of active sessions: 135700
Number of active TCP sessions: 103320
Number of active UDP sessions: 25300
Number of active ICMP sessions: 5166
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 29
Session table utilization: 3%
Number of sessions created since bootup: 660498175
Packet rate: 67414/s
Throughput: 550072 kbps
New connection establish rate: 3314 cps

Above highlighted Throughput in the CLI output is a global value for firewall and not just for IPsec tunnel
To know the precise throughput of IPsec tunnel, either FW should be just passing the IPsec traffic, or one can rely on the client/server being used for testing.
In this case PA-VM is giving around 550 Mbps throughput

Environment

Platform: PA-VM
PAN-OS / Plugin Version: 8.1.0 / -
Deployment: AWS

Cause

This limitation is due PAN-OS architecture where each IPsec tunnel session is processed by only one core and each core encapsulate a maximum of 300 Mbps of traffic and decapsulate another 300 Mbps of traffic combining to get a bidirectional throughput of 600 Mbps

Resolution

Create multiple tunnels across two sites wherein each tunnel can provide a bi-directional throughput of 600 Mbps and further load balance the interesting traffic across them

PA-VM deployed in AWS with throughput across IPsec tunnel limited to 600 Mbps

Symptom

Environment

Cause

Resolution

Other users also viewed: