Slow speed via Global Protect.

Reply
L3 Networker

Slow speed via Global Protect.

I have VM300 with GP without split tunnel. Between with and without GP their is a lose of around 6mb.

Is it acceptable to have 6mb of overhead lose? Will enabling/disabling ipsec in ssl vpn setting make any difference.

Community Team Member

Re: Slow speed via Global Protect.

Was it always this way? 

Do you have threat profiles enabled for that traffic?

Is this affecting every client? 

 

There are many things that could cause issues..  but we will need to narrow down what the issue may be.

Stay Secure,
Joe
End of line
L3 Networker

Re: Slow speed via Global Protect.

No security profiles.

Not affecting every customer.

My question is what sort of overhead can be seen in GP

 

L4 Transporter

Re: Slow speed via Global Protect.

Hello

 

If you have split tunnel disabled (makes sense), then the public IP of the firewall needs to hairpin the communication from GP agent to destination IP on Internet.   This could be a legitimate reason for why you will have some degradation, due to increased CPU utilization in hairpin.

 

I believe this is acceptable, as there is no way to NOT have some degradation.

As you mentioned, it does not affect every customer, so there are too many variables to indeed, determine that it is the GP config causing it.

You could always enable QoS to help prioritize traffic.

 

Keep working out the variables and let us know.  I

Help the community: Like helpful comments and mark solutions
L3 Networker

Re: Slow speed via Global Protect.

User has performance issue when access a file in trust zone of the firewall over GP,ipsec tunnel.

I read on net SMB traffic over vpn is not very good.There are lot of tcp retransmissions.

L4 Transporter

Re: Slow speed via Global Protect.

Ok, still confused.

 

With split tunneling enabled (which is an irrelevant point) the user is still using the routing table (pushed by the GP config) to access the file in the trust zone.

 

With split tunneling disabled (which forces all traffic to the FW), the user is still using the same routing table to access the file in the trust zone.

 

I guess I do not see how split tunnel (on or off) would affect accessing the trust zone, UNLESS, there is a lot of non-productive traffic being pushed through the FW during the disabled split tunnel config)

 

Is the virtual pool of address in the GP config a non-overlapping/unique subnet, that is not on the trusted network?

 

What other info can you share?

 

Why does this not affect all customers, if you think it is a GP agent/configuration issue.

 

I presume you are doing a wireshark trace to see the re-transmissions.  May be related, or may not be related.

 

If they try to NOT access using SMB, but go to a web server inside their network, does it work fine?

Is there a FTP server or similar that the user can try to upload/download files using a different application.

Any QoS enabled on the FWs?

 

Keep working and troubleshooting the issue.  

Help the community: Like helpful comments and mark solutions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!