IPSec tunnel slowness issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

IPSec tunnel slowness issue

L3 Networker

Hi Folks,

 

We had recently configured an IPSec tunnel between the PA and the Cisco Meraki firewall. 

 

The PA firewall is located in India and the Cisco firewall is located in USA.

 

We are trying to upload an file from an Linux host located behind the PA firewall to an server located behind the Cisco firewall using wget http option from linux machine.

 

While uploading we are getting an speed of only 200 kbps. Our ISP bandwidth is 200 Mbps.

 

Upon taking global counter we could see that the firewall is dropping the packet with the below counter 

 

tcp_drop_packet 2 0 warn tcp pktproc packets dropped because of failure in tcp reassembly
tcp_exceed_flow_seg_limit 2 0 warn tcp resource packets dropped due to the limitation on tcp out-of-order queue size

 

We had changed the MTU on the tunnel interface but no luck. After allowing the out-of-order TCP packets using the below command the speed had increased an bit.

 

> config
# set deviceconfig setting tcp bypass-exceed-oo-queue <yes|no>
# commit

https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClWK

 

Is this an issue with the firewall or issue with the host.

 

Thanks in advance.

1 accepted solution

Accepted Solutions

L3 Networker

Hi Folks,

 

We are having only two ISP each with 100 Mbps bandwidth each. We are using only one ISP interface as primary. Upon checking the below command we had identified the throughput is measuring upto 130-150 Mbps. 

> show system statistics session

 

 After load-balancing the traffic between two ISP's the upload/download speed via the tunnel interface had increased.

View solution in original post

4 REPLIES 4

Cyber Elite
Cyber Elite

Hello,

Was the MTU changed on both sides of the tunnel?

Regards,

Hi @OtakarKlier 

 

Yes we had tried to ping the server on the peer end with the do-not fragment bit enabled and configured the supported MTU value on both side of the tunnel interfaces.

 

Cyber Elite
Cyber Elite

@tamilvanan,

How stable of a connection do you have between sites outside of the tunnel? If your getting so many out of order packets that it's causing issues and the MTU is correct, are you experiencing a larger amount of packet loss between the two nodes themselves? 

L3 Networker

Hi Folks,

 

We are having only two ISP each with 100 Mbps bandwidth each. We are using only one ISP interface as primary. Upon checking the below command we had identified the throughput is measuring upto 130-150 Mbps. 

> show system statistics session

 

 After load-balancing the traffic between two ISP's the upload/download speed via the tunnel interface had increased.

  • 1 accepted solution
  • 2643 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!