VPN Performance Problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

VPN Performance Problem

L4 Transporter

Just wanted to all let you know about a VPN performance issue we have with one of our customers.

The customers is running an IPSec Site2Site Tunnel to a third party company (Cisco Device). They have a PA-5020 Cluster (5.0.12) and the Tunnel link is providing 1Gb/s throughput. Now all was working fine until the customer added a source NAT for the traffic entering the tunnel. The throughput went down from around 900Mb/s to 300Mb/s. Disabling that particular NAT restores full throughput again. Case is open, so far there are no config issues, but still waiting for further findings.

Has anyone observed such a performance impact when configuring a source NAT in a VPN Tunnel ?

6 REPLIES 6

L7 Applicator

Certainly seems like a bug that will need to be addressed.

What do the cpu stats look like when the nat is enabled?

I'm guessing there is some kind of bug interaction between nat and some other portion of the configuration.  So you may end up with an option to keep the nat and change some other portion of the config to get past the bug until it is patched.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Nothing abnormal on the CPU load. Cleartext source NAT does not suffer from this performance hit, only source NAT within a tunnel seems to create the problem.

L3 Networker

Are your NAT rules sufficiently wide to include ICMP traffic?

The MTU across the tunnel will be lower than normal.  Perhaps without the NAT, MTU discovery (using ICMP) is working - lowering the MSS of the TCP sessions across the tunnel.  If the NAT doesn't include ICMP traffic, MTU discovery will be broken and your traffic flow rate will suffer greatly...

I'd ensure the NAT rule has no service component so it is just acting on the IP addresses at each end of the link (and perhaps the in/out interfaces).

Are your NAT rules sufficiently wide to include ICMP traffic?

Yes, we usually don't use service restrictions in the NAT, this is done in the security rules.

I saw a case with the same issue which is still in the research phase. You should open a case too. Maybe this will speed up the process if you can provide more data.

Case is open since one week

  • 2750 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!