Slow VPN performance in >ONE< direction

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Slow VPN performance in >ONE< direction

L1 Bithead

Hello Community,

 

i have a strange problem regarding VPN.

 

Here is my setup:

 

HQ:

 

- PA3020 vsys2 connects to a 100/100Mbit WAN. (local, stable provider)

- Public IP is configured directly on a interface of the PA

- Speedtest from local network in HQ commits the 100/100Mbit

 

Branch:

- PA220 connects to a 50/10Mbit Vodafone WAN

- NAT will be applied on the WAN interface of the PA220, so i dont have to configure routing on the Vodafone box.

- NAT will be applied on the Vodafone box to communicate to the internet

 

Because it is not a business line, i have to work with the transfernetwork between Vodafone box an PA220

 

- Speedtest for local internetconnection wich passes the PA220 gives me 50/10Mbit - everything is fine.

 

 

Problem:

 

- When i am uploading from Branch to HQ, i get full 10MBIT

- When i am uploading from HQ to Branch, i get a maximum ov 2-5  MBIT out of the 50MBit

 

What have i tested:

 

- Different MTU sizes for tunnel and WAN interfaces, from 1500 down to 1260

- Diabled every security service in line

- Enabled TCP MSS with standard value (40 for ipv4)

- Enabled/ disabled NAT Traversal for Branch (because of the NAT)

- Checked every single interface negoatiation, especially for WAN routers and Firewall

- Cryptosets down from very high, to very low (sha1, dh2, aes128)

- Different routing options for next hop when routed to the tunnel (next hop, non)

- Tunnelinterface automaticly adjusts mtu to 1428 (show vpn flow tunnel-id 1) on Branche site

- no drops, discards, erros on WAN and tunnel interface (show interface...)

 

Additional:

 

Very strange is, that the Branch connections to the HQ work, when im using same ISPs, but a Linogate Defendo Firewall for both sites... (the Linogate Defendo System is an old system which was in place bevor our migration)

... just to clarify.. the Linogate system reboots when i am altering a interface... so this is the worsed product i ve ever seen...

 

Today i started to migrate the second Branch --> same issue !

 

 

Finally i am at the end of my knowledge...

 

Please community, give me some input to this one 

 

Best regards,

 

Tony

 

 

1 accepted solution

Accepted Solutions

L1 Bithead

Hello Community,

 

working the whole week on this problem, i finaly resolved it.

Unfortunatelly it was a failure in my troubleshooting process, because the answer is one of my tested tasks.

 

For some reason i failed in testing the tunnel MTU sizes, because i didnt kill/ reconnect the tunnel in a clean manner.

( "clear vpn ike-sa gateway <gateway>" and  "test vpn ike-sa gateway <gateway>") after i configured the tunne MTUs...

 

After configuring the tunnel MTU with a value of 1400 on both sites and than clear + test vpn via CLI, the problem was resolved. Now i get about 95% of the WAN speeds over the tunnel in both directions!!

 

The problem is the Vodafone Router in between the tunnel. (Branch Offices)

The PAs correctly handle the overhead, which is shown by the following command: "show vpn flow tunnel-id 1".

But the PAs cant recognize the headers, which are done by the Vodafone Router, because it is in line of the tunnel.

 

So - as pointed out in a lot of documents on the network, the administrator has to calculate the overhead from that box.

 

After this was done, everything is working as intended.

 

Best regards,

 

Tony

 

P.s.: This thread can be closed 🙂

 

View solution in original post

2 REPLIES 2

L1 Bithead

Hello Community,

 

working the whole week on this problem, i finaly resolved it.

Unfortunatelly it was a failure in my troubleshooting process, because the answer is one of my tested tasks.

 

For some reason i failed in testing the tunnel MTU sizes, because i didnt kill/ reconnect the tunnel in a clean manner.

( "clear vpn ike-sa gateway <gateway>" and  "test vpn ike-sa gateway <gateway>") after i configured the tunne MTUs...

 

After configuring the tunnel MTU with a value of 1400 on both sites and than clear + test vpn via CLI, the problem was resolved. Now i get about 95% of the WAN speeds over the tunnel in both directions!!

 

The problem is the Vodafone Router in between the tunnel. (Branch Offices)

The PAs correctly handle the overhead, which is shown by the following command: "show vpn flow tunnel-id 1".

But the PAs cant recognize the headers, which are done by the Vodafone Router, because it is in line of the tunnel.

 

So - as pointed out in a lot of documents on the network, the administrator has to calculate the overhead from that box.

 

After this was done, everything is working as intended.

 

Best regards,

 

Tony

 

P.s.: This thread can be closed 🙂

 

L0 Member

Hi dear,

 

would you be so kind to help me troubleshooting the same issue? Download speed is terribly slow, and I´m not talking about Internet, just inside the LAN. Tried to set a lower MTU both side but didn´t help...
By the way, is it right that if the issue is actually about the MTU we are going to see lots of fragmented packets on the PA side?
Thanks a lot ahead, Gian.

  • 1 accepted solution
  • 11784 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!