Hello, Is there any documentation about those tweaks for tcp performance? and what about irq thingy?
On Thu, Nov 8, 2007 at 2:34 AM, Prabhu Gurumurthy <[EMAIL PROTECTED]> wrote: > Brian A Seklecki (Mobile) wrote: > > > > On Mon, 2007-11-05 at 07:23 +0100, Martin Toft wrote: > > > > > On Mon, Nov 05, 2007 at 01:29:05AM +0100, Cabillot Julien wrote: > > > > > > > Have you try openbsd 4.2 ? PF have been really improved in this > > > > release. > > > > > > > > > > > pf(4) has nothing to do with isakmpd(8), except as it relates to recent > > addition of routing tags. > > > > - PIX/ASA is going to get you a default packet "ASA" forwarding based on > > interface weights - PIX/ASA is going to guarantee easily setup and > functional Hybrid-XAUTH > > VPN Road-warrior clients > > - PIX has functional object-groups/group-object inheritance > > - PIX/ASA has proprietary serial console fail-over (which is marginally > > faster than waiting for CARP) > > - PIX/ASA has some magical black-box inline transparent protocol > > "fixups" > > - PIX has a 4 hour SmartNet support contract option > > - PIX/ASA has a SNMP MIB tree (Which we are working to catch up on) > > > > I don't know about ASA, but the 5xx PIX doesn't support IPv6 > > > > > > Otherwise they're both software-based stateful IP packet forwarding > > engines running on i386 with NAT and IPSec and 802.1q support. > > > > OpenBSD will always scale better because you can run it on the harwdare > platform of your choice. > > > > ~BAS > > > > > > > 1. VPN is computationally heavy -- is your hardware fast enough? > > > > > > 2. Try playing with queueing in PF to handle some types of traffic > > > faster than others. AFAIK, it is normal to find this kind of > > > configuration in commercial, black-box solutions, disguised as buzzy > > > slogans like "Built-in QoS Super-Routing" :-) > > > > > > Just my two cents. > > > > > > Martin > > > > > > > > > > > Are you sure PIX 515 and above does not support IPv6. By that do you mean > IPv6 routing, if that is the case, yes. But PIX 515E and ASA does support > IPv6 fine when you use 7.X and above version of image. > > In addition to your 4th point, PIX and ASA support failover using LAN, only > PIX supports serial based failover. > > To the OP: > We use ASA and OpenBSD in our production environment and we spent close to > $10,000 buying twin ASAs (using GigE) for failover, but only $2000 to buy > two dell boxes to put OpenBSD (using GigE) on them and use them as failover > i.e. pf + pfsync + sasyncd and its being fine for past 11 months. > > Where do you see OpenBSD lagging behind, if it is a transfer rate you can > tweak tcp settings using sysctl, you can upgrade to 4.2 as the other post > indicated. > > And are you willing to spend money to buy expensive gear that is the > question?
