ScreenOS Firewalls (NOT SRX)
ScreenOS Firewalls (NOT SRX)

High cpu with small amounts of VPN traffic

‎08-05-2019 06:18 AM

We're trying to offload VPN traffic from our main firewall with a ISG 2000 running 6.3.0r13b.0 which we pulled out of the closet. This is a route-based VPN, but even with a single copy process started to the remote location, cpu spikes over 80% and the copy process is much slower (less than 1/2) of what the main firewall is with all processes running over the tunnel. I'm hoping I missed a setting that might boost VPN performance. Can anyone help me out? Thanks

3 REPLIES 3
ScreenOS Firewalls (NOT SRX)

Re: High cpu with small amounts of VPN traffic

‎08-05-2019 08:27 AM

I forgot to mention this is for a 256-bit AES tunnel. The documentation states 1 Gbps for 3DES, which I'd guess is about the same for 128-bit AES. We have high CPU usage for around 2 Mbps, and the CPU drops when the transfer stops. Thanks again.

ScreenOS Firewalls (NOT SRX)

Re: High cpu with small amounts of VPN traffic

‎08-05-2019 11:59 AM

When you use 256 bit AES encryption, it is done in CPU.  If you have fragmentation, that will also increase the CPU load. 

ScreenOS Firewalls (NOT SRX)

Re: High cpu with small amounts of VPN traffic

‎08-10-2019 12:59 AM
This is a design limitation. As mentioned in the previous response - AES-256 encryption-decryption is handled on the CPU of ISGs rather than on the ASIC chips. The CPU on these platforms can get overwhelmed easily. Consider using a different Cipher.
Regards,
Gokul