Question

Slow Terminal network traffic over VPN

Asked by: int21dotorg

We have connected two offices through a Cisco Lan-to-Lan VPN over the Internet. Users in one office Telnet to the other office to log on to a Unix app. This infrastructure is mandatory and cannot easily be changed.
The problem is that the Telnet connections can get very slow on occasion.

In an attempt to speed up the connections, we upgraded the connecting office from an ADSL line (4096 kb down, 512 up, not guaranteed), to an SDSL line (2048 down, 1024 up, guaranteed).
This hasn't improved things very much though.

I have the feeling that, because the Unix app is terminal based, it initiates TCP connections for each character pressed (a delay is noticeable when typing text), and therefore ping times are much more important than total bandwidth capacity. Ping times, however, have not decreased significantly, due to the crypto overhead of the VPN connection and the Internet tunnel that has not changed.

1. Can someone confirm or deny this? Do terminal-based apps initiate TCP connections per character inputted?
2. How can I improve performance on these connections?

Thanks
Lars

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2005-03-10 at 05:17:02ID21345300
Tags

slow

,

vpn

,

cisco

Topics

Miscellaneous Networking

,

Networking Hardware Firewalls

,

IPSec Security Protocol

Participating Experts
5
Points
500
Comments
10

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. Cisco VPN tunnel failover
    Does CISCO support detection of VPN tunnel failures for static tunnels? Can I have two static tunnels to the same network one supporting the other in case of failures? Thanks
  2. cisco 506 to cisco 506 vpn tunnel
    Am doing vpn tunnel between cisco 506. I created crypto maps keys etc... Now How can I tell if my vpn tunnel are up? When I do crypto map isakmp sa It shows created 0 between my end points. That doesn't seem right? I initiated trafic. Traffic is flowing. Just not sure if ...
  3. Cisco VPN tunnel keepalive?
    Hi I've got a situation with a Cisco 1721 and a Q-Networks Q-100 firewall. I want to make the Cisco router keeping the VPN connection alive. The Q-100 fulfil the IPSEC standard, and it is possible the make a tunnel between them, and route packets through the tunnel. So ...
  4. Cisco VPN Tunnel drops when no traffic pass
    Cisco VPN Tunnel drops when no traffic pass on my cisco 2801. What my problem can be?
  5. Cisco VPN traffic
    Does anyone know how to pass VPN traffic through Vista Home Premium. I have Cisco VPN Client Ver. 5.0.02.0900 installed on my laptop (Vista Home Premium). I can get the vpn to connect, and recieve an IP address from the PIX, but cannot ping, access network resource, or pass...
  6. VPN Traffic
    I have a vpn concentrator with 2 separate site to site VPN tunnels, how do i allow traffic from one tunnel to the other tunnel?

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: bmedwardPosted on 2005-03-10 at 06:38:16ID: 13506308

In a VT100 (or derivative) based terminal emulation mode, typical for *nix text consoles, each character you press will be sent to the server without waiting for an 'enter' or other signal generating key. At the TCP level, this only results in session data and acknowledgment packets being transmitted - a new session is not generated for each communication.

The actual process for queuing is more complicated; it is sufficient to say that unless you are a really fast type, most TCP data packets will only contain a single keypress. These packets, however, amount to very little total traffic. Under normal operation, 50+ terminals or sessions should have no bandwidth trouble even on a 56K modem line.

As for response time, your users will notice anything more than about .02 seconds. If you are encrypting traffic through this tunnel, it will all traffic down. In general, what kind of ping responses are you seeing? Also, are you using a centralized encryption server, or is each computer handling it's own encrypted tunnel overhead?

 

by: joe-quickPosted on 2005-03-10 at 08:41:40ID: 13507915

The "on occasion" is very vague. I also have users at 5 remote offices (2 WAN's (384kbs no guarentee) and 3 56K lines) that telnet to our unix server. That complain about lag "on occasion".

What to watch for is the specific "times".
I have found that the "LAG" is tied directly into how busy the server is. If there are lots users generating reports (as we have in the morning) you will notice some lag.
The more processing the server is doing the slower its response time will be. Even on the LAN.

It could be your connection because there is no such thng a "guarenteed".
If you have access to the remote computers you could create a simple batch file that pings the server every 30 minutes and see when this is happening. This may help to confirm if its the server load.

What is the average pig time??
I have a 35ms average response time from my cable connection to my server on the net on the servers 128k connection. Which is normal for me.

And as bm stated, encrypting the data will increase the time somewhat. Our WAN's and 56k dont use encrytion so I cant recommend a particular one. But changing the level of encryption might help. Especially if the computers are doing the encryption.

Also one other question would be is it all the computers at the site or just one? If its only one, it could be tied to what ever else the user is doing on their computer.

 

by: gjohnson99Posted on 2005-03-10 at 11:59:31ID: 13509992

One thing try it you a using IPSec is to goto PPTP. IPSEC is very heavy on CPU usage. Or get a faster Vpn

 

by: jamespickeringPosted on 2005-03-10 at 14:21:12ID: 13511627

Some of the current Cisco VPN routers include a crypto on silicon processor which offloads crypto from the CPU. You will get a minor amount of lag over the VPN but it shouldn't be to the point that users are complaining. Check that it's not an MTU issue - do your DSL services use PPoE? If so add 'ip tcp adjust-mss 1452' to your inside interface (eg E0 on an 837) and 'ip mtu 1492' on your Dialer interface.

 

by: j3ggsPosted on 2005-03-10 at 15:11:17ID: 13512181

Lars,

Whats the latency between your clients and the server? I doubt that the VPN tunnel would have any impact on latency when dealing with telnet. Telnet is very light in terms of bandwidth usage (and hence stressing an encryption CPU).

As stated above, telnet does not initiate a new session per keypress. One tcp connection is initiated on initial startup. However each keypress is individualy sent across the wire, and requires acknowledging. If it is a Cisco router, there is a service that you can enable to "help" speed up applications like telnet, and this is called "nagle" (nagle algorithm). You can enable this by typing "service nagle" under global config, however I am not sure if this will actually achieve what you want. For more info look at: http://www.cisco.com/en/US/products/sw/iosswrel/ps1826/products_configuration_guide_chapter09186a00800d9b69.html

It basically packages lots of keypresses up and sends them in one packet.

I would more inclined to look at the server CPU etc at the times the service is slow. Or(and/Or) look at the latency at this time (i.e. do a ping). if the RTT is more than 100ms then users will notice a lot (in my experience)..

Bandwidth with telnet will do very little.

Best regards (and luck)

j3ggs

 

by: jamespickeringPosted on 2005-03-11 at 02:30:01ID: 13515245

Just in case, check that the output from the following is the same on both ends of the VPN:

show crypto ipsec sa | include mtu

If it's not the same, then you have three options - one is to set the router with the larger MTU to have the smaller MTU on its outgoing interface (eg in BVI 1 ; ip mtu 1492), second is to use a route-map that clears the df bit, eg I use ACL 130 to define traffic for one VPN where one is DSL bridge mode, the other is DSL PPPoE:

route-map clear-df-bit permit 130
 set ip df 0
interface Ethernet 0
 ip policy route-map clear-df-bit

The third is to use the most excellent DF bit override from Cisco:
http://www.cisco.com/en/US/products/sw/iosswrel/ps1839/products_feature_guide09186a0080087ae1.html

I don't think this is your problem but it's definitely worth a check.

 

by: int21dotorgPosted on 2005-03-11 at 07:58:03ID: 13518021

To address some of the earlier comments, changing the infrastructure (including the use of IPSec) is not an option. About the "vagueness", I'm aware of this, but we hadn't been able to measure on peak moments yet.

We've collected ping responses today, and they've been more than acceptable, i.e. on average well below 200ms. However, there were no speed issues noticeable today. Maybe people don't work as hard on Friday...
Bandwidth usage was measured by our ISP, and we consumed about 10-20% of our capacity today, so no worries there either.

After reading the comments, I'm more and more convinced that this must be a latency issue, and as soon as we have slowdowns again I'm going to test the nagle service on our Cisco, which seems to address exactly this situation. At the same time, I'll have the other end (a client of ours) test server CPU load, and I take note of the possibility of synchronizing both sides' MTU.

Thanks for all comments so far, very constructive, I'm confident I will be handing out points soon! :)

Regards
Lars

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...