https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-ssl-vs-ipsec/m-p/383119#M858 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/118537">@Scott.Ainslie</a>&nbsp;</P> <P>&nbsp;</P> <P>Here is main reason for slowness over SSL</P> <P><SPAN>GlobalProtect is slower on SSL VPN because SSL requires more overhead than IPSec. Also, Transmission Control Protocol (TCP) is more prone to latency than User Datagram Protocol (UDP), which is used in IPsec GlobalProtect.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Hope this helps.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards</SPAN></P> Sun, 31 Jan 2021 04:56:28 GMT MP18 2021-01-31T04:56:28Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-ssl-vs-ipsec/m-p/382997#M857 <P class="_1qeIAgB0cPwnLhDF9XSiJM">Help me come to grips with this. I recently enabled IPSec on our PAN for end user VPN's. I did it primarily to hopefully get improved VoIP performance, less jitter, and perhaps a marginal speed improvement. What I have found is an almost across the board doubling of download speeds.</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">If you consider that most of my users are on regular consumer Xfinity cable links when using SSL their speed test would average around 15 - 20Mbps. Switching to IPSec changes that to 30 - 50Mbps pretty reliably. Happy, but not what I was expecting and I am trying to understand where the bottleneck is in SSL?</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">Both data and management CPU's are running mostly below the 20's and haven't noticeably changed after moving to IPSec. I know that IPSec has lower overhead, quicker connection establishment and doesn't suffer from the TCP inside TCP that SSL (TLS) has but I wasn't expecting this big of a difference. I am left thinking the bottleneck is in the encryption methods either on the firewall or in the GlobalProtect client.</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">PanOS 9.1.4, GlobalProtect 5.2.3</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">&nbsp;</P><P class="_1qeIAgB0cPwnLhDF9XSiJM">Thoughts?</P> Fri, 29 Jan 2021 22:11:06 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-ssl-vs-ipsec/m-p/382997#M857 Scott.Ainslie 2021-01-29T22:11:06Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-ssl-vs-ipsec/m-p/383119#M858 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/118537">@Scott.Ainslie</a>&nbsp;</P> <P>&nbsp;</P> <P>Here is main reason for slowness over SSL</P> <P><SPAN>GlobalProtect is slower on SSL VPN because SSL requires more overhead than IPSec. Also, Transmission Control Protocol (TCP) is more prone to latency than User Datagram Protocol (UDP), which is used in IPsec GlobalProtect.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Hope this helps.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Regards</SPAN></P> Sun, 31 Jan 2021 04:56:28 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/globalprotect-ssl-vs-ipsec/m-p/383119#M858 MP18 2021-01-31T04:56:28Z