This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

VPN Performance Problem

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN Performance Problem

gafrol
L4 Transporter

‎06-19-2014 11:57 PM

Just wanted to all let you know about a VPN performance issue we have with one of our customers.

The customers is running an IPSec Site2Site Tunnel to a third party company (Cisco Device). They have a PA-5020 Cluster (5.0.12) and the Tunnel link is providing 1Gb/s throughput. Now all was working fine until the customer added a source NAT for the traffic entering the tunnel. The throughput went down from around 900Mb/s to 300Mb/s. Disabling that particular NAT restores full throughput again. Case is open, so far there are no config issues, but still waiting for further findings.

Has anyone observed such a performance impact when configuring a source NAT in a VPN Tunnel ?

Labels:
0 Likes Likes
6 REPLIES 6

pulukas
L7 Applicator

‎06-21-2014 05:17 AM

Certainly seems like a bug that will need to be addressed.

What do the cpu stats look like when the nat is enabled?

I'm guessing there is some kind of bug interaction between nat and some other portion of the configuration.  So you may end up with an option to keep the nat and change some other portion of the config to get past the bug until it is patched.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

gafrol
L4 Transporter
In response to pulukas

‎06-22-2014 11:57 PM

Nothing abnormal on the CPU load. Cleartext source NAT does not suffer from this performance hit, only source NAT within a tunnel seems to create the problem.

0 Likes Likes

ajbool
L3 Networker

‎06-23-2014 01:06 AM

Are your NAT rules sufficiently wide to include ICMP traffic?

The MTU across the tunnel will be lower than normal.  Perhaps without the NAT, MTU discovery (using ICMP) is working - lowering the MSS of the TCP sessions across the tunnel.  If the NAT doesn't include ICMP traffic, MTU discovery will be broken and your traffic flow rate will suffer greatly...

I'd ensure the NAT rule has no service component so it is just acting on the IP addresses at each end of the link (and perhaps the in/out interfaces).

0 Likes Likes

gafrol
L4 Transporter
In response to ajbool

‎06-23-2014 01:28 AM 

Are your NAT rules sufficiently wide to include ICMP traffic?

Yes, we usually don't use service restrictions in the NAT, this is done in the security rules.

0 Likes Likes

Wenar
L3 Networker
In response to gafrol

‎06-23-2014 02:00 AM

I saw a case with the same issue which is still in the research phase. You should open a case too. Maybe this will speed up the process if you can provide more data.

0 Likes Likes

gafrol
L4 Transporter
In response to Wenar

‎06-23-2014 02:52 AM

Case is open since one week

0 Likes Likes
  • 2473 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks