[x]
Posted via EE Mobile

Search, ask, and monitor your questions on the go with EE Mobile. Visit Experts Exchange from your mobile device and never be out of touch again.
Question
[x]
Attachment Details

Questions on Best MTU Setting to Optimize VPN Throughput

Asked by adoughe in Virtual Private Networking (VPN), IPSec Security Protocol, Secure Socket Layer (SSL) & HTTPS

Tags: IP Sec IPSec SSL VPN SSLVPN NetExtender Microsoft Sonicwall MTU

We have 3500 Sonicwall GVC users in the field and have a Sonicwall NSA 4500 HA pair. These users use anything and everything to connect to our network to do SQL Server merge replication. We want to implement SSL VPN using the NetExtender client software available from Sonicwall but throughput when connected via NetExtender is 4 1/2 times slower than GVC.  I suspect we have improper MTU settings.  All servers and workstations have default MTU settings. The Sonicwall has a MTU of 1500 on the WAN interface.  Testing shows that our ISP gateway will not pass a packet larger than 1468 bytes without fragmentation, a recent discovery. I have an open case with them trying to learn why it is not 1500 as we have an Ethernet connection to the Internet. The Sonicwall GVC uses IP Sec which, from what I have read, has an overhead of 52 bytes.  NetExtender uses PPP and, again from what I have read, only has an overhead of only 8 bytes.  Sonicwall has told me that the speeds between the two should be comparable. They said IP Sec will be perhaps 5 to 10 percent faster than SSL VPN.  A file downloaded to my workstation via GVC takes 3 minutes 10 seconds but 16 minutes and 10 seconds via SSL VPN. All field users use Microsoft XP and all servers on our LAN are Windows Server 2003.

Right now I am leaning toward intially changing the MTU to 1468 minus 52 (IP Sec overhead) or 1416 in our Sonicwall.  I have read though that "telecommuters" sometimes are best served by an MTU even lower, perhaps as low as 1200.

Question One
Can anyone suggest why our NetExtender SSL VPN is so slow?  Average CPU utilization on our Sonicwall is near 0 percent.

Question Two - Main Question
Our business is mainly providing our services via these VPN connections so we want an MTU that is ideal for GVC and SSL VPN. In order to optimize speed through VPN what MTU should we use in our Sonicwall to best support VPN users connected via almost everything, e.g. ADSL, cable, Verizon air cards, etc?  Should the MTU be changed on the servers?  On the workstations? Can anyone make any recommendations with clear explanations to justify the recommendations?

Thanks in advance.
[+][-]11/05/09 10:14 AM, ID: 25752233Expert Comment

At Experts Exchange, members can ask their questions to thousands of technology professionals, also known as Experts. Experts compete and collaborate to answer those questions by leaving comments like this one.

Start your 30-day free trial to view this Expert Comment or ask the Experts your question.

 
[+][-]11/05/09 10:24 AM, ID: 25752321Author Comment

Often, when Experts are collaborating with members who have asked questions, they will request additional information about the problem. Askers respond with an author comment like this one.

Start your 30-day free trial to view this Author Comment or ask the Experts your question.

 
 
Loading Advertisement...
20091111-EE-VQP-92 - Hierarchy / EE_QW_3_20080625