https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-slowness-issue/m-p/512649#M106517 <P>Hi Folks,</P> <P>&nbsp;</P> <P>We are having only two ISP each with 100 Mbps bandwidth each. We are using only one ISP interface as primary. Upon checking the below command we had identified the throughput is measuring upto 130-150 Mbps.&nbsp;</P> <P><STRONG><SPAN class="">&gt; show system statistics session</SPAN></STRONG></P> <P>&nbsp;</P> <P>&nbsp;After load-balancing the traffic between two ISP's the upload/download speed via the tunnel interface had increased.</P> Tue, 23 Aug 2022 09:07:38 GMT tamilvanan 2022-08-23T09:07:38Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-slowness-issue/m-p/509395#M106048 <P>Hi Folks,</P> <P>&nbsp;</P> <P>We had recently configured an IPSec tunnel between the PA and the Cisco Meraki firewall.&nbsp;</P> <P>&nbsp;</P> <P>The PA firewall is located in India and the Cisco firewall is located in USA.</P> <P>&nbsp;</P> <P>We are trying to upload an file from an Linux host located behind the PA firewall to an server located behind the Cisco firewall using wget http option from linux machine.</P> <P>&nbsp;</P> <P>While uploading we are getting an speed of only 200 kbps. Our ISP bandwidth is 200 Mbps.</P> <P>&nbsp;</P> <P>Upon taking global counter we could see that the firewall is dropping the packet with the below counter&nbsp;</P> <P>&nbsp;</P> <P><STRONG><SPAN> tcp_drop_packet 2 0 warn tcp pktproc packets dropped because of failure in tcp reassembly<BR />tcp_exceed_flow_seg_limit 2 0 warn tcp resource packets dropped due to the limitation on tcp out-of-order queue size</SPAN></STRONG></P> <P>&nbsp;</P> <P>We had changed the MTU on the tunnel interface but no luck. After allowing the out-of-order TCP packets using the below command the speed had increased an bit.</P> <P>&nbsp;</P> <P><STRONG>&gt; config</STRONG><BR /><STRONG># set deviceconfig setting tcp bypass-exceed-oo-queue &lt;yes|no&gt;</STRONG><BR /><STRONG># commit</STRONG></P> <P><SPAN><A href="https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClWK" target="_blank">https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClWK</A></SPAN></P> <P>&nbsp;</P> <P><SPAN>Is this an issue with the firewall or issue with the host.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Thanks in advance.</SPAN></P> Wed, 20 Jul 2022 15:35:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-slowness-issue/m-p/509395#M106048 tamilvanan 2022-07-20T15:35:23Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-slowness-issue/m-p/509411#M106051 <P>Hello,</P> <P>Was the MTU changed on both sides of the tunnel?</P> <P>Regards,</P> Wed, 20 Jul 2022 18:07:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-slowness-issue/m-p/509411#M106051 OtakarKlier 2022-07-20T18:07:23Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-slowness-issue/m-p/509455#M106059 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;</P> <P>&nbsp;</P> <P>Yes we had tried to ping the server on the peer end with the do-not fragment bit enabled and configured the supported MTU value on both side of the tunnel interfaces.</P> <P>&nbsp;</P> Thu, 21 Jul 2022 05:54:04 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-slowness-issue/m-p/509455#M106059 tamilvanan 2022-07-21T05:54:04Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-slowness-issue/m-p/509549#M106076 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/165087">@tamilvanan</a>,</P> <P>How stable of a connection do you have between sites outside of the tunnel? If your getting so many out of order packets that it's causing issues and the MTU is correct, are you experiencing a larger amount of packet loss between the two nodes themselves?&nbsp;</P> Thu, 21 Jul 2022 22:23:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-slowness-issue/m-p/509549#M106076 BPry 2022-07-21T22:23:40Z https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-slowness-issue/m-p/512649#M106517 <P>Hi Folks,</P> <P>&nbsp;</P> <P>We are having only two ISP each with 100 Mbps bandwidth each. We are using only one ISP interface as primary. Upon checking the below command we had identified the throughput is measuring upto 130-150 Mbps.&nbsp;</P> <P><STRONG><SPAN class="">&gt; show system statistics session</SPAN></STRONG></P> <P>&nbsp;</P> <P>&nbsp;After load-balancing the traffic between two ISP's the upload/download speed via the tunnel interface had increased.</P> Tue, 23 Aug 2022 09:07:38 GMT https://live.paloaltonetworks.com/t5/general-topics/ipsec-tunnel-slowness-issue/m-p/512649#M106517 tamilvanan 2022-08-23T09:07:38Z