https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47844#M35167 <HTML><HEAD></HEAD><BODY><P>Certainly seems like a bug that will need to be addressed.</P><P></P><P>What do the cpu stats look like when the nat is enabled?</P><P></P><P>I'm guessing there is some kind of bug interaction between nat and some other portion of the configuration.&nbsp; So you may end up with an option to keep the nat and change some other portion of the config to get past the bug until it is patched.</P></BODY></HTML> Sat, 21 Jun 2014 12:17:03 GMT pulukas 2014-06-21T12:17:03Z https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47843#M35166 <HTML><HEAD></HEAD><BODY><P>Just wanted to all let you know about a VPN performance issue we have with one of our customers.</P><P>The customers is running an IPSec Site2Site Tunnel to a third party company (Cisco Device). They have a PA-5020 Cluster (5.0.12) and the Tunnel link is providing 1Gb/s throughput. Now all was working fine until the customer added a source NAT for the traffic entering the tunnel. The throughput went down from around 900Mb/s to 300Mb/s. <SPAN style="font-size: 10pt; line-height: 1.5em;">Disabling that particular NAT restores full throughput again. Case is open, so far there are no config issues, but still waiting for further findings.</SPAN></P><P></P><P>Has anyone observed such a performance impact when configuring a source NAT in a VPN Tunnel ?</P></BODY></HTML> Fri, 20 Jun 2014 06:57:15 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47843#M35166 gafrol 2014-06-20T06:57:15Z https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47844#M35167 <HTML><HEAD></HEAD><BODY><P>Certainly seems like a bug that will need to be addressed.</P><P></P><P>What do the cpu stats look like when the nat is enabled?</P><P></P><P>I'm guessing there is some kind of bug interaction between nat and some other portion of the configuration.&nbsp; So you may end up with an option to keep the nat and change some other portion of the config to get past the bug until it is patched.</P></BODY></HTML> Sat, 21 Jun 2014 12:17:03 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47844#M35167 pulukas 2014-06-21T12:17:03Z https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47845#M35168 <HTML><HEAD></HEAD><BODY><P>Nothing abnormal on the CPU load. Cleartext source NAT does not suffer from this performance hit, only source NAT within a tunnel seems to create the problem.</P></BODY></HTML> Mon, 23 Jun 2014 06:57:06 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47845#M35168 gafrol 2014-06-23T06:57:06Z https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47846#M35169 <HTML><HEAD></HEAD><BODY><P dir="ltr" style="color: #222222; font-family: arial, sans-serif; font-size: 12.727272033691406px;">Are your NAT rules sufficiently wide to include ICMP traffic? </P><P dir="ltr" style="color: #222222; font-family: arial, sans-serif; font-size: 12.727272033691406px;"></P><P dir="ltr" style="color: #222222; font-family: arial, sans-serif; font-size: 12.727272033691406px;">The MTU across the tunnel will be lower than normal.&nbsp; Perhaps without the NAT, MTU discovery (using ICMP) is working - lowering the MSS of the TCP sessions across the tunnel.&nbsp; If the NAT doesn't include ICMP traffic, MTU discovery will be broken and your traffic flow rate will suffer greatly...</P><P dir="ltr" style="color: #222222; font-family: arial, sans-serif; font-size: 12.727272033691406px;"></P><P dir="ltr" style="color: #222222; font-family: arial, sans-serif; font-size: 12.727272033691406px;">I'd ensure the NAT rule has no service component so it is just acting on the IP addresses at each end of the link (and perhaps the in/out interfaces).</P></BODY></HTML> Mon, 23 Jun 2014 08:06:10 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47846#M35169 ajbool 2014-06-23T08:06:10Z https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47847#M35170 <HTML><HEAD></HEAD><BODY><PRE __jive_macro_name="quote" class="jive_text_macro jive_macro_quote" modifiedtitle="true"> <P>Are your NAT rules sufficiently wide to include ICMP traffic? </P> <P dir="ltr"></P> </PRE><P>Yes, we usually don't use service restrictions in the NAT, this is done in the security rules.</P></BODY></HTML> Mon, 23 Jun 2014 08:28:44 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47847#M35170 gafrol 2014-06-23T08:28:44Z https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47848#M35171 <HTML><HEAD></HEAD><BODY><P>I saw a case with the same issue which is still in the research phase. You should open a case too. Maybe this will speed up the process if you can provide more data.</P></BODY></HTML> Mon, 23 Jun 2014 09:00:18 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47848#M35171 Wenar 2014-06-23T09:00:18Z https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47849#M35172 <HTML><HEAD></HEAD><BODY><P>Case is open since one week</P></BODY></HTML> Mon, 23 Jun 2014 09:52:56 GMT https://live.paloaltonetworks.com/t5/general-topics/vpn-performance-problem/m-p/47849#M35172 gafrol 2014-06-23T09:52:56Z