https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223730#M42925 <P>Enabled blades is : Firewall, S2S VPN, Mobile Access, App Control, URL Filtering, IPS, Antibot, Antivirus, network policy management &amp; Log.</P> <P>The encryption i used on VPN community string is AES-256 for phase 1 and 3DES for phase 2</P> Thu, 15 Aug 2024 09:48:16 GMT handiansudianto 2024-08-15T09:48:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223724#M42920 <P>Hello,</P> <P>My internet connection speed is 100Mbps, testing by accessing speedtest.net and showing 101.90Mbps for download and 115.14Mbps for upload.</P> <P>I also have IPsec site to site tunnel to connecting our onprem to azure, and when i do speed test by copy larger file from onprem to the azure i can see the traffic is not fully utilize the available bandwidth.</P> <P>testing speed only get about 3-4 MB/s or about 30Mbps. Anyone know how to fine tuning my checkpoint to get better utilization for ipsec?</P> <P>&nbsp;</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="Screenshot 2024-08-15 145439.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27250i7FFE597F04E01B49/image-size/large?v=v2&amp;px=999" role="button" title="Screenshot 2024-08-15 145439.png" alt="Screenshot 2024-08-15 145439.png" /></span></P> Thu, 15 Aug 2024 08:04:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223724#M42920 handiansudianto 2024-08-15T08:04:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223725#M42921 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/88545">@handiansudianto</a>&nbsp;</P> <P>And what about the load of the participating gateways in S2S tunnel? One for eg. SCP connection is handled by one CPU core. Can you check the CPU-s on both side?</P> <P>Maybe the bottleneck is on the AZURE side? Can you check it somehow without VPN?</P> <P>Akos</P> <P>&nbsp;</P> Thu, 15 Aug 2024 08:28:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223725#M42921 AkosBakos 2024-08-15T08:28:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223726#M42922 <P>Hi,</P> <P>This depends on a few factors. Most common:</P> <P>What blades are enabled on the gateways.&nbsp;</P> <P>What encryption methods are used? (for example 3DES is not only very unsafe but also very intensive for the load)&nbsp;</P> Thu, 15 Aug 2024 08:40:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223726#M42922 Lesley 2024-08-15T08:40:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223728#M42924 <P>How i can check the load?</P> Thu, 15 Aug 2024 09:45:37 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223728#M42924 handiansudianto 2024-08-15T09:45:37Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223730#M42925 <P>Enabled blades is : Firewall, S2S VPN, Mobile Access, App Control, URL Filtering, IPS, Antibot, Antivirus, network policy management &amp; Log.</P> <P>The encryption i used on VPN community string is AES-256 for phase 1 and 3DES for phase 2</P> Thu, 15 Aug 2024 09:48:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223730#M42925 handiansudianto 2024-08-15T09:48:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223736#M42927 <P>Hi&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/88545">@handiansudianto</a>&nbsp;</P> <P>#cpview&nbsp;</P> <P>#top</P> <P>#htop</P> <P>If you are not familiar with the last 2 commands use #cpview CPU tab. You will see the CPU utilization</P> <P>Akos</P> <P>&nbsp;</P> Thu, 15 Aug 2024 10:43:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223736#M42927 AkosBakos 2024-08-15T10:43:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223740#M42928 <DIV id="tinyMceEditor_6c1990b66ecachandiansudianto_0" class="mceNonEditable lia-copypaste-placeholder">&nbsp;</DIV> <P>Here result of 3 command, seems the utilization is normal.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="cpvoew.png" style="width: 833px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27251i003A6B8F55DAAB75/image-size/large?v=v2&amp;px=999" role="button" title="cpvoew.png" alt="cpvoew.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="top.png" style="width: 901px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27252i55D1933C1E1D5516/image-size/large?v=v2&amp;px=999" role="button" title="top.png" alt="top.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="htop.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27253i241BD4CDF14FFF2A/image-size/large?v=v2&amp;px=999" role="button" title="htop.png" alt="htop.png" /></span></P> <P>&nbsp;</P> Thu, 15 Aug 2024 10:48:40 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223740#M42928 handiansudianto 2024-08-15T10:48:40Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223741#M42929 <P>3des is the worst for performance see:</P> <P><A href="https://support.checkpoint.com/results/sk/sk73980" target="_blank">https://support.checkpoint.com/results/sk/sk73980</A></P> <P><A href="https://support.checkpoint.com/results/sk/sk98950" target="_blank">https://support.checkpoint.com/results/sk/sk98950</A></P> <P>Change asap since it is very weak encryption method</P> Thu, 15 Aug 2024 11:03:34 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223741#M42929 Lesley 2024-08-15T11:03:34Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223749#M42930 <P>I can tell you that literally 99% of the time when I worked with folks on this exact problem, I always found it to be one of the 2 problems.</P> <P>1) Encryption methods used&nbsp;</P> <P>OR</P> <P>2) MTU size</P> <P>Never a combination of both.</P> <P>Andy</P> Thu, 15 Aug 2024 12:35:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223749#M42930 the_rock 2024-08-15T12:35:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223750#M42931 <P><SPAN>Site-to-Site VPN performance issues generally come down to some combination of these three things:</SPAN><BR /><BR /><SPAN>1) <STRONG>Path Low MTU Issues</STRONG> - From expert mode on your Check Point firewall run <STRONG>tracepath</STRONG> to your Azure VPN peer, this will report the max MTU for that network path.&nbsp; If it is less than 1500 you may need to allow ICMP Type 3, Code 4 packets into your firewall from anywhere for pmtud to work, or look at TCP MSS Clamping</SPAN><BR /><BR /><SPAN>2) <STRONG>Slow algorithms in use like 3DES</STRONG> (already mentioned in this thread) - remember that the Phase 2/IPSec tunnel transfers the vast majority of data through a VPN so its encryption setting will have a far greater impact than the one for IKE/Phase 1.&nbsp; You may want to look at using the GCM versions of AES which are even more efficient than standard AES and also capable of being fully offloaded into the AES-NI processor extension, if the Azure peer supports GCM</SPAN><BR /><BR /><SPAN>3) Encryption/Decryption operations for a particular VPN tunnel can only happen on <STRONG>one core, or are stuck in the slowpath</STRONG> - If the first two listed are not the issue (check them first), the traffic may be in the F2F/slowpath due to what blades you have enabled or other unusual conditions being present, or it is being bottlenecked by single-core limitations as in the case of an elephant flow</SPAN></P> <P><SPAN>All this is covered quite extensively in my <A href="http://www.maxpowerfirewalls.com/gw-optimization-course.html" target="_blank" rel="noopener">Gateway Performance Optimization Course</A>.</SPAN></P> Thu, 28 Nov 2024 14:14:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223750#M42931 Timothy_Hall 2024-11-28T14:14:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223814#M42953 <P>Hi,</P> <P><BR />Changed to AES-128 and have better throughput. Thanks</P> Fri, 16 Aug 2024 01:32:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223814#M42953 handiansudianto 2024-08-16T01:32:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223816#M42954 <P>Hello,</P> <P>Here result of tracepath, seem 1500 MTU i used. Am i right?</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="4.png" style="width: 852px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/27262i31403D571738DF5E/image-size/large?v=v2&amp;px=999" role="button" title="4.png" alt="4.png" /></span></P> Fri, 16 Aug 2024 01:36:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223816#M42954 handiansudianto 2024-08-16T01:36:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223818#M42956 <P>You got it.</P> Fri, 16 Aug 2024 02:22:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/IPsec-Throughput/m-p/223818#M42956 the_rock 2024-08-16T02:22:08Z