- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-19-2014 11:57 PM
Just wanted to all let you know about a VPN performance issue we have with one of our customers.
The customers is running an IPSec Site2Site Tunnel to a third party company (Cisco Device). They have a PA-5020 Cluster (5.0.12) and the Tunnel link is providing 1Gb/s throughput. Now all was working fine until the customer added a source NAT for the traffic entering the tunnel. The throughput went down from around 900Mb/s to 300Mb/s. Disabling that particular NAT restores full throughput again. Case is open, so far there are no config issues, but still waiting for further findings.
Has anyone observed such a performance impact when configuring a source NAT in a VPN Tunnel ?
06-21-2014 05:17 AM
Certainly seems like a bug that will need to be addressed.
What do the cpu stats look like when the nat is enabled?
I'm guessing there is some kind of bug interaction between nat and some other portion of the configuration. So you may end up with an option to keep the nat and change some other portion of the config to get past the bug until it is patched.
06-22-2014 11:57 PM
Nothing abnormal on the CPU load. Cleartext source NAT does not suffer from this performance hit, only source NAT within a tunnel seems to create the problem.
06-23-2014 01:06 AM
Are your NAT rules sufficiently wide to include ICMP traffic?
The MTU across the tunnel will be lower than normal. Perhaps without the NAT, MTU discovery (using ICMP) is working - lowering the MSS of the TCP sessions across the tunnel. If the NAT doesn't include ICMP traffic, MTU discovery will be broken and your traffic flow rate will suffer greatly...
I'd ensure the NAT rule has no service component so it is just acting on the IP addresses at each end of the link (and perhaps the in/out interfaces).
06-23-2014 01:28 AM
Are your NAT rules sufficiently wide to include ICMP traffic?
Yes, we usually don't use service restrictions in the NAT, this is done in the security rules.
06-23-2014 02:00 AM
I saw a case with the same issue which is still in the research phase. You should open a case too. Maybe this will speed up the process if you can provide more data.
06-23-2014 02:52 AM
Case is open since one week
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!