01-29-2021 02:11 PM
Help me come to grips with this. I recently enabled IPSec on our PAN for end user VPN's. I did it primarily to hopefully get improved VoIP performance, less jitter, and perhaps a marginal speed improvement. What I have found is an almost across the board doubling of download speeds.
If you consider that most of my users are on regular consumer Xfinity cable links when using SSL their speed test would average around 15 - 20Mbps. Switching to IPSec changes that to 30 - 50Mbps pretty reliably. Happy, but not what I was expecting and I am trying to understand where the bottleneck is in SSL?
Both data and management CPU's are running mostly below the 20's and haven't noticeably changed after moving to IPSec. I know that IPSec has lower overhead, quicker connection establishment and doesn't suffer from the TCP inside TCP that SSL (TLS) has but I wasn't expecting this big of a difference. I am left thinking the bottleneck is in the encryption methods either on the firewall or in the GlobalProtect client.
PanOS 9.1.4, GlobalProtect 5.2.3
01-30-2021 08:56 PM
Here is main reason for slowness over SSL
GlobalProtect is slower on SSL VPN because SSL requires more overhead than IPSec. Also, Transmission Control Protocol (TCP) is more prone to latency than User Datagram Protocol (UDP), which is used in IPsec GlobalProtect.
Hope this helps.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!