03-22-2021 09:31 AM
For the guys that have replied, I'm curious what kind of performance you see on your GlobalProtect sessions? I think it might be helpful to set a baseline when talking about GlobalProtect performance. I've read tons of these posts on the forums, but rarely see anyone discuss what we should expect.
In my testing I can never average more than 50-70 mbps GlobalProtect SSL VPN connection (dedicated 3020 firewall with just me, dedicated 1 Gbps internet link on both sides for just me, 30ms latency, no inspection or app-id, no QoS, iperf3). I can open a second SSL VPN connection from a different computer and simultaneously get another 50-70 mbps without impacting the first session. I don't see a significant CPU load on the firewall at either point. I can do testing outside GlobalProtect (static NAT) and pretty consistently get 940 mbps. My assumption is that this is some internal tuning limitations that we can't see.
On my production system, I will have stretches where I can get 50-70 mbps, but this will frequently drop down to the 2-10 mbps range (for minutes at a time). Like the OP, the overall bandwidth usage doesn't explain all of the issues). Certainly, I can see slowness when there are peaks in bandwidth usage, but I also see slowness that doesn't correspond to any bandwidth usage. My assumption is that it is due to firewall load (although the firewall doesn't show 100% CPU, I assume the GP process is somehow throttled and that the performance slowness is due to other stream processing inspections and app-id that is happening).
I can run a simultaneous test (iperf3) where I test using a static NAT (non-GP) at 200 mbps, along side 2 GP connections. The static NAT connection will remain consistent, while the two GP connections will suffer performance hits around the same time.
I should note that I've read the usual comments about SSL VPN and performance (due to a TCP session encapsulated in another TCP session). I can see this demonstrated when I do testing at my DR site and I run into (what I assume) are throttling issues when the interior and exterior TCP sessions have conflicting sliding windows. For example, the session will be cooking along at 70mbps for 30 seconds, then drop to zero and then ramp back up to 70 mbps. I'm planning to do some testing on my test site with GlobalProtect in IPSEC mode to see if this goes away or if my overall bandwidth is improved.
Anyway here are some things I've noticed (recognizing this is the blind leading the blind), in case any of it give you some things to check on your system:
If anyone has any better information, especially about the internal workings or scheduling of GP traffic inside the firewall, I'd love to hear it.
