cancel
Showing results for 
Search instead for 
Did you mean: 

ESP or SSL Only ??? Thinking of going SSL Only.

Highlighted
Super Contributor

ESP or SSL Only ??? Thinking of going SSL Only.

Just saw a post that got me thinking.

Over the years I've seen many issues with the transport protocol failing over from ESP to SSL. Often times it wouldn't work and give the dreaded "Reconnecting" messages.

Who has gone SSL only ? Has it been good for you ? Any complaints about performance ? Would you recommend ?

Thanks,

Justin

12 REPLIES 12
Highlighted
Regular Contributor

Re: ESP or SSL Only ??? Thinking of going SSL Only.

i had it running over SSL for 2 years and havent had any problems. the performance makes no difference in my opinion. i've configured ESP now, which works great aswell, but i cant say that its appreciably faster.

which reconnecting message do you mean? if its not able to connect via udp/4500 it starts immediatly the SSL session. i havent seen any reconnecting messages then?

Highlighted
Super Contributor

Re: ESP or SSL Only ??? Thinking of going SSL Only.

Why did you switch to ESP ?

I think ESP Is prone to more connectivity issues. I would often see messages in the logs of the traffic failing over to SSL.

Thanks,
Justin

Highlighted
Super Contributor

Re: ESP or SSL Only ??? Thinking of going SSL Only.

well one thing you might want to keep in mind that SSL does put more load on the box vs ESP now i did run into an issue where users failing over from ESP to SSL was causing our CPU to spike but that was couple of builds ago

Highlighted
Contributor

Re: ESP or SSL Only ??? Thinking of going SSL Only.


@jickfoo wrote:

Why did you switch to ESP ?

I think ESP Is prone to more connectivity issues. I would often see messages in the logs of the traffic failing over to SSL.

Thanks,
Justin


Of course you're going to see messages in the logs about traffic failing over to SSL. Anywhere that UDP 4500 isn't open out of the network - i.e. many hotels, conference centers, customer/vendor sites, etc.

We did notice a significant improvement in speed and reduced load on our SA6500's when we implemented ESP. Specifically, file transfers and NetBIOS traffic saw the biggest improvement.

Highlighted
Occasional Contributor

Re: ESP or SSL Only ??? Thinking of going SSL Only.

Yes ESP is set for performance and SSL for compatibility

There were bugs in certain releases which caused instability e.g. 6.0R1, 6.0R2, 6.0R3.x, 6.0R4.0, 6.0R4.1
Release 5.x is not affected.

http://kb.pulsesecure.net/index?page=content&id=KB11990&actp=search&searchid=1269298497320

http://kb.pulsesecure.net/index?page=content&id=KB8569&actp=search&searchid=1269298497320

http://kb.pulsesecure.net/index?page=content&id=KB3116&actp=search&searchid=1269298497320

Hope this helps

Highlighted
Occasional Contributor

Re: ESP or SSL Only ??? Thinking of going SSL Only.

Network Connect starts by using SSL/NCP with the intention of using ESP as the transport mode. If the ESP mode is not established within the fallback timeout, then it continues to use the SSL/NCP mode. When the fall back occurs it uses the existing SSL session and does not renegotiate the SSL session.

A firewall will see two connections per user when using ESP. One for the Control Channel on port 443 (SSL) and one for the Data Channel on port 4500 (Default for ESP). When using SSL/NCP both the Control and Data Channel use SSL..

Highlighted
Occasional Contributor

Re: ESP or SSL Only ??? Thinking of going SSL Only.

SSLtransport mode will provide relaibility but performance will take a hit.

You need to see why/where/if the ESP/UDP packets are dropped between the NC/ESP client AND NC/ESP server.

Highlighted
Occasional Contributor

Re: ESP or SSL Only ??? Thinking of going SSL Only.

Hi

Highlighted
Occasional Contributor

Re: ESP or SSL Only ??? Thinking of going SSL Only.

Hi,

Does it mean I have to have port 443 translated to the SA device from the firewall even if I am using ESP mode. I actually have another device listening for port 443, so I have to use another port. now as per the documentation, NC can work on UDP 4500 but looking at your response it seems like port 443 is not completed eliminated even after using UDP. Please clarify/help.

Regards

Mazhar Rafi