- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-03-2014 08:16 AM
I just modified a PA-200 in our remote office to use two internet connections and two VPN connections for fail-over. The tunnels are up and are passing traffic fine for me, however users in that office are complaining about slowness over the VPN. There is zero packet loss over the tunnel and connectivity to the internet is just fine, from what I am told. Other discussions on this site have suggested enabling TCP MSS (which I did on the WAN interfaces) but I completely loss connectivity to those interfaces when I did. I had to get access to the device again via the secondary ISP. I try to access the trust interface of this device over the tunnel and the Web UI attempts to load (displays connecting in the tab and immediately changes to Login) but it actually never loads, the page is just plain white. SSH access to this same interface will work better but seems to eventually die. I seem to have better success accessing the firewall via the WAN interface via UI or SSH. This definitely seems to be an issue with the VPN tunnel(s). Session ID details from the CLI show all traffic is being processed by the correct interfaces, PBFs, tunnels, etc. All traffic is traversing a newly configured ISP.
Here are my PBF rules:
The first is a rule to send traffic over the primary ISP and VPN, the second is a backup ISP and VPN. All traffic according to the firewall is traversing tunnel.10, as it should be.
Any help would be appreciated!
Thanks!
02-03-2014 11:37 AM
Hello Sir,
I would request you to try with below mentioned options, in order to improve the performance through the VPN tunnel.
1. Can you verify what Encryption Standards are being used?
Group 5 ( Asymmetric Key Encryption ) and AES ( Symmetric key Encryption ) Standards are more CPU extensive than Group-2 or 3DES. Does the performance improve with Group 2 and 3DES?
2) Slowness of Transfers across VPN tunnels are usually seen when the ESP packets are either fragmented, or when the packets themselves come out of sequence before they are being encrypted. ( the firewall performs checks for the TCP anomolies before it can encrypt these packets in the ESP headers ). Please check for any asymmetric routing issues.
3) If the performance is still not that great, an alternative to create a custom app for required traffic, and use it under an app override. With this setting, we bypass the signature check for this traffic, and hence can expect better results. Refer to the below doc for configuring Application override for certain traffic.
How to Create an Application Override Policy
NOTE: As you said before, after enabling "Adjust MSS" you lost the connectivity through primary ISP, do you have an alternate path to troubleshoot ( not through ISP-1 or ISP-2) which will not close the SSH or GUI session at least.
Thanks
08-22-2014 02:35 PM
I would say: "Define slowness"
You can have great bandwidth throughput, but a roundtrip response time to your DNS servers be very slow. The perceived behavior is slowness in both scenarios. You can also have great performing applications, and applications that behave poorly (Samba file transfers are known to be slow, and they require some tune-up on the firewall).
I would troubleshoot such slowness in two ways:
Deploy iperf on both ends of the tunnel and run a TCP test with -P 10 to measure bandwidth throughput.
http://www.slashroot.in/iperf-how-test-network-speedperformancebandwidth
You can use tools like NetMeter on the endpoints or Graphic Traffic Monitoring for Interfaces - QoS Statistics
Check how users reach their DNS servers. If you are forcing everyone to go to your central office for DNS resolution, and you are in the opposite side of the globe, you are injecting huge delays in DNS responses.
Mariano.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!