topic Slow VPN performance in >ONE< direction in General Topics

Slow VPN performance in >ONE< direction

itserviceHEWA — Thu, 14 Jun 2018 14:38:16 GMT

Hello Community,

i have a strange problem regarding VPN.

Here is my setup:

HQ:

- PA3020 vsys2 connects to a 100/100Mbit WAN. (local, stable provider)

- Public IP is configured directly on a interface of the PA

- Speedtest from local network in HQ commits the 100/100Mbit

Branch:

- PA220 connects to a 50/10Mbit Vodafone WAN

- NAT will be applied on the WAN interface of the PA220, so i dont have to configure routing on the Vodafone box.

- NAT will be applied on the Vodafone box to communicate to the internet

Because it is not a business line, i have to work with the transfernetwork between Vodafone box an PA220

- Speedtest for local internetconnection wich passes the PA220 gives me 50/10Mbit - everything is fine.

Problem:

- When i am uploading from Branch to HQ, i get full 10MBIT

- When i am uploading from HQ to Branch, i get a maximum ov 2-5 MBIT out of the 50MBit

What have i tested:

- Different MTU sizes for tunnel and WAN interfaces, from 1500 down to 1260

- Diabled every security service in line

- Enabled TCP MSS with standard value (40 for ipv4)

- Enabled/ disabled NAT Traversal for Branch (because of the NAT)

- Checked every single interface negoatiation, especially for WAN routers and Firewall

- Cryptosets down from very high, to very low (sha1, dh2, aes128)

- Different routing options for next hop when routed to the tunnel (next hop, non)

- Tunnelinterface automaticly adjusts mtu to 1428 (show vpn flow tunnel-id 1) on Branche site

- no drops, discards, erros on WAN and tunnel interface (show interface...)

Additional:

Very strange is, that the Branch connections to the HQ work, when im using same ISPs, but a Linogate Defendo Firewall for both sites... (the Linogate Defendo System is an old system which was in place bevor our migration)

... just to clarify.. the Linogate system reboots when i am altering a interface... so this is the worsed product i ve ever seen...

Today i started to migrate the second Branch --> same issue !

Finally i am at the end of my knowledge...

Please community, give me some input to this one

Best regards,

Tony

Re: Slow VPN performance in >ONE< direction

itserviceHEWA — Fri, 15 Jun 2018 09:45:09 GMT

Hello Community,

working the whole week on this problem, i finaly resolved it.

Unfortunatelly it was a failure in my troubleshooting process, because the answer is one of my tested tasks.

For some reason i failed in testing the tunnel MTU sizes, because i didnt kill/ reconnect the tunnel in a clean manner.

( "clear vpn ike-sa gateway <gateway>" and "test vpn ike-sa gateway <gateway>") after i configured the tunne MTUs...

After configuring the tunnel MTU with a value of 1400 on both sites and than clear + test vpn via CLI, the problem was resolved. Now i get about 95% of the WAN speeds over the tunnel in both directions!!

The problem is the Vodafone Router in between the tunnel. (Branch Offices)

The PAs correctly handle the overhead, which is shown by the following command: "show vpn flow tunnel-id 1".

But the PAs cant recognize the headers, which are done by the Vodafone Router, because it is in line of the tunnel.

So - as pointed out in a lot of documents on the network, the administrator has to calculate the overhead from that box.

After this was done, everything is working as intended.

Best regards,

Tony

P.s.: This thread can be closed 🙂

Re: Slow VPN performance in >ONE< direction

gianmaxfactor — Thu, 20 Apr 2023 07:03:59 GMT

Hi dear,

would you be so kind to help me troubleshooting the same issue? Download speed is terribly slow, and I´m not talking about Internet, just inside the LAN. Tried to set a lower MTU both side but didn´t help...
By the way, is it right that if the issue is actually about the MTU we are going to see lots of fragmented packets on the PA side?
Thanks a lot ahead, Gian.