Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 999
  • Last Modified:

VPN Poor Performance

Hi All,

I have a VPN performance problem, e.g. from the site in question if I download a file in Internet Explorer, from head office, directly over the internet I see approx 950k, when downloading the same file through the VPN I see around 300k.

And this performance is reflected when using the VPN day to day.

The measurements have been taken from the router so hopefully exclude any overhed isses with the VPN.

The basic is a Watchguard X series at head office and Vigor 2600plus routers at the remote sites. The VPN is using IPSec Tunnel (DES-SHA1)

I really need some direction to establish why the VPN is not using the full bandwidth available.

Thank you.
0
hotkeys
Asked:
hotkeys
  • 6
  • 6
  • 5
  • +2
4 Solutions
 
m1crochipCommented:
There is a ton of extra data with the VPN - where does the router give you these measurments?
0
 
Rob WilliamsCommented:
When you are using a VPN the best performance you can expect is the upload speed of your ISP rather than the download speed that you are measuring from the Internet. This is often less than half. Also there is of course a slight degradation due to the encrypting and decrypting of data.
Having said that, if you ping a device on the remote end of the tunnel what kind of response times do you get? For a VPN to function properly it should be less than 125ms, A good connection should be down in the 30ms range. Might be worth checking that first.
0
 
m1crochipCommented:
Maybe I'm confused - are you at the remote location downloading a file from the head office over the internet (no vpn) and then the same file (from the same location) using the VPN?  This is what I thought you meant.  if so, your head office upload speed is the 950K, and your total data rate should be closer to this than 300k even though there is more traffic coming from the remote(your) location (which probably has a slower upload speed) to keep the VPN alive.  
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
m1crochipCommented:
This is not to say the file will download nearly as quickly as without using the VPN
0
 
JoesmailCommented:
It is using the full bandwidth available.  You mentioned your IPSEC encryption.

Each piece of data sent from your pc gets the normal header information attached at each of the layers as the packet travels to your firewall/vpn device.  This is also occuring when downloading directly over the internet.

In the case of the vpn as soon as the packet destination is matched as vpn traffic it starts adding hashing e.g. MD5 and encryption e.g DES 3DES etc...designed to stop people being able to look at what the real data is e.g. "this is my real data" gets turned into "%6023hrpnbsda-0f7=h230rsdh0fh-289rh0-asdyf-92h8r-9as8yf-98sh".

So without boring your further....
- http packet "tag.......this is my real data....tag" is recieved as "tag.....this is my real data...tag".   There is the minimal headers attached as indicated using the DOD model.

You can speed it up slightly by downgrading your enryption and/or authentication mechamisms and hashing..

e.g. instead of using 3DES/SHA1 on your ISAKMP and IPSEC phases you could use DES/MD5.

Although this is not going to speed the download up to what a "direct un-secure connection over the internet" connection will go.

Your vpn speed is normal.  This is the price you pay for security over a cheap public infrasture.

1:1 speed costs.  
0
 
JoesmailCommented:
Alternatively you can put in a hardware accelerator for vpn traffic and/or QoS for encrypted vpn traffic.  This is all possible on Cisco ASA devices.  The Watchguard 7000 series has Qos but the Vigor will not have any of these capabilities.

Oh and all the other experts above are also right.  There are many factors such as they have mentioned that can degrade performance.
0
 
hotkeysAuthor Commented:
Thank you all for your thoughts.

m1crochip - I have been measuring the throughput via SNMP traps on the two routers. I accept the real world performance over the VPN will be less due to encryption overheads, but was expecting it to flood the connection.

robwill - an example ping from head office to a remote router:

Pinging 192.168.98.1 with 32 bytes of data:

Reply from 192.168.98.1: bytes=32 time=29ms TTL=254
Reply from 192.168.98.1: bytes=32 time=29ms TTL=254
Reply from 192.168.98.1: bytes=32 time=29ms TTL=254
Reply from 192.168.98.1: bytes=32 time=29ms TTL=254

All the remote routers give similar results.

Rob, if I understand your first comments correctly are you saying VPN performance will be limited to 256k?
Head office is on a synchronous connection
Sites are using ADSL and therefore have an upload speed of 256k.

Microchip – yes your summary of the situation is spot on

Joesmail – my concern is not that the real world performance is degraded using the VPN (I completly that will be the price to pay for encypting data) but that the available bandwidth is not fully utilised.

Cheers

John
0
 
JoesmailCommented:
Hi John,
Joesmail – my concern is not that the real world performance is degraded using the VPN (I completly that will be the price to pay for encypting data) but that the available bandwidth is not fully utilized.

To measure if your pipe is being utilized at the same rate when downloading and when using the vpn you would have to use some link monitoring software using snmp.

I don't know how familiar you are with these tools although using something link MRTG: http://people.ee.ethz.ch/~oetiker/webtools/mrtg/ (there is a windows version) or another product such as Solarwinds: http://www.solarwinds.net/ would be an excellent way of measuring how much data is passing through your pipe.  These measures are going to take you sometime if your not familiar with them though.

The alternatives are to use etheral : http://www.ethereal.com/ and attach it to a hub in the same subnet as your firewall/vpn's outside interface and monitor the amount of data being throughput (packets) while you run a batch file with the exact same download.  Although this is not the most ideal it is a quick easy test to see the following (make sure it is out of operating hours without other traffic interferring):

A) How fast your firewall is with normal traffic.
B) How fast your firewall is when encrypting traffic

Obviously encryption uses alot more resources as we have pointed out.

In larger organisations I have used QoS on vpn traffic.  I am not sure if Watchguard are at this stage as most of these firewall series are obviously running Linux kernels....anyhoo....We use at 1 client in particular MPLS QoS - this basically means we change the priority on the layer 2 packets before the hit the inside interface of the firewall. This tag tells the firewall to evaluate the VPN traffic with high priority over everything else....






0
 
hotkeysAuthor Commented:
I am using PRTG (http://www.paessler.com/prtg) to monitor the traffic at various points on the network - this clearly shows that the available bandwidth is not being used.

At the time of testing there has been minimal 'other' traffic so although a QOS implementation may help at bust time I does not help me here - any other ideas?
0
 
mattacukCommented:
The Vigor routers never were the best kit for VPN. I have seen them fall over on many occasions where the Cisco router (especially with a VPN module) would handle connections no problem. Sounds to me possibly fragmentation is occuring - this would effect the performance  of  the VPN. As mentioned above the date frames have extra parts added on the end for encryption when sent over the "tunnel" from LAN 2 LAN. You could try reducing the MTU on the internal vlan, this will ensure frames will have enough space for the IPSEC headers thus fragmentation not occuring,
0
 
Rob WilliamsCommented:
>>"Rob, if I understand your first comments correctly are you saying VPN performance will be limited to 256k?"

That is my understanding. It was explained to me that the limitation is the fact that you are effectively uploading the files to the ISP from your remote site, before downloading to your local site. Thus, the initial upload is the limitation. I have always found I could not get better than 85%-90% of the advertised upload speed at any of the sites I work with.
0
 
hotkeysAuthor Commented:
mattacuk - thank you, possibly incorrectly I had ruled out packet fragmentation.

Possibly naively I had thought that as the additional packet header information is added by the VPN appliance and then removed at the other end the routing of an IPSEC tunnel would be designed with a maximum MTU of 1500 + wrapper

Although we have not had any problems with the Vigor units I have read some horror stories.

So I think my current plan is:

      Do some packet sniffing to look for fragments
      Do some testing with a simple PPTP link to see if the same issues exist
      Try and beg/borrow/steal another VPN appliance – perhaps another Watchguard

What do you think?
0
 
hotkeysAuthor Commented:
RobWill

Well if that is the case - *******s

Can anyone confirm is this is correct?
0
 
Rob WilliamsCommented:
Any chance of creating a test environment by relocating 1 PC and router to the other site, physically connect the WAN ports of the 2 routers, and do a file transfer? Pain in the neck, but could rule out all but the Internet as the source of the delay.
0
 
hotkeysAuthor Commented:
Rob

Because the Vigor box includes the ADSL modem that would not be possible. However I really think I have ruled out Internet performance.

We have 8 of these currently up and running and they are all exactly the same, VPN traffic peaking at 400k.
0
 
mattacukCommented:
Hotkeys, glad to be of help. Even the most powerful routers will perform poorly if the MTU is not set to allow for the VPN "wrapping". The standard MTU is 1500 bytes, you could try reducing this to MTU to 1420 and see if this makes any difference to performance. That said, it may be your are getting what you pay for with your connection. Let me know if this makes any difference.
0
 
JoesmailCommented:
Hi Rob,

Try and beg/borrow/steal another VPN appliance – perhaps another Watchguard

I think this is your best solution.   You might have to compare the performance of another device.  It is possible that the series of Watchguard you have dosen't cope well with encryption.

There are always plenty of vendors who will give you a new model for your testing purposes for a couple of weeks.
0
 
Rob WilliamsCommented:
Hi Joesmail !

hotkeys, just for the record, as a reference when you are testing, the site where I am tonight uses Watchguards, old SOHO's (pre-SOHO6) and I was able to copy files from one site to the other over a VPN connection at 825Kbps. Advertised speed for the same service at both sites is "Speeds up to 5 Mbps downstream and up to 1 Mbps upstream ".

Maybe as you suggested you could get better performance from the Watchguards.




0
 
hotkeysAuthor Commented:
Joesmail - It better not be a limit of the Watchguard - the X700 claims a VPN throughput of 40/60 Mbps

I am more and more thinking this is down to the Vigor's. Our supplier have agreed to lend me a Zyxel P661 which offers the same feature set. I will give that a go before going the Watchguard route.

Main reason is my life is a lot easier if the sites have a single box solution.

Thank you all for you help, not 100% sure how to allocate the points, would you guys be OK with a straigh split between

M1crochip
RobWill
Jesmail
Mattacuk

John
0
 
mattacukCommented:
The Vigors are more of a home solution, but alot of IT companys like to use them cause there easy to set up! Hope you get things sorted John.
Oh and yeah, split points are ok by me!
0
 
Rob WilliamsCommented:
>>"It better not be a limit of the Watchguard - the X700 claims a VPN throughput of 40/60 Mbps"
In a LAN environment. Show me a 40/60 Mbps Internet connection.

hotkeys, I too have no problem with a point split or for that matter 0 points, as I have supplied food for thought but at this point no solution. You may want to keep the question open until resolved, I know personally I would very much like to know what the ultimate source of the problem is.
--Rob
0
 
JoesmailCommented:
split is cool.
0
 
Rob WilliamsCommented:
Thanks hotkeys,
--Rob
0

Featured Post

The Firewall Audit Checklist

Preparing for a firewall audit today is almost impossible.
AlgoSec, together with some of the largest global organizations and auditors, has created a checklist to follow when preparing for your firewall audit. Simplify risk mitigation while staying compliant all of the time!

  • 6
  • 6
  • 5
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now