65097
Created On03/17/20 22:14 PM - Last Modified04/06/20 17:03 PM
Bi-directional throughput for traffic across IPsec tunnel is limited to 600 Mbps which results in application slowness, latency and packet loss issues for data traversing across the tunnel. Log in to the firewall CLI and execute below CLI command: > show session info Above highlighted Throughput in the CLI output is a global value for firewall and not just for IPsec tunnel To know the precise throughput of IPsec tunnel, either FW should be just passing the IPsec traffic, or one can rely on the client/server being used for testing. In this case PA-VM is giving around 550 Mbps throughput This limitation is due PAN-OS architecture where each IPsec tunnel session is processed by only one core and each core encapsulate a maximum of 300 Mbps of traffic and decapsulate another 300 Mbps of traffic combining to get a bidirectional throughput of 600 MbpsSymptom
Number of sessions supported: 4194290
Number of active sessions: 135700
Number of active TCP sessions: 103320
Number of active UDP sessions: 25300
Number of active ICMP sessions: 5166
Number of active BCAST sessions: 0
Number of active MCAST sessions: 0
Number of active predict sessions: 29
Session table utilization: 3%
Number of sessions created since bootup: 660498175
Packet rate: 67414/s
Throughput: 550072 kbps
New connection establish rate: 3314 cpsEnvironment
Cause
Resolution