Slow Server rresponse over VPN

I have setup a remote access VPN on a flat network consisting of 30 clients and 3 file and print servers (Win2K, Win2003 and Win Storage Server 2003). The VPN Firewall is an ASA 5505.

I have encountered very slow response in manuevering about the server directory structure over the VPN. Almost to the point of the connection locking up. I have figured out the optimum MTU and still i have slow response time. The really odd thing is that when i VPN in to the network and use Windows Remote Desktop, I get acceptable results. This leads me to beleive that there is a server setting that I'm unaware of.

Thanks

JPertchik
jpertchikAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

smckellar83Commented:
By nature Remote Desktop will be much quicker. This is because no data actually comes down over the VPN.

Double check your DNS server is on the VPN adapter (or picked up through DHCP).

This could also be possible due to the speed of both connections.
0
ryansotoCommented:
What are you using for vpn?  2 vpn devices using the public internet?  Leased lines?
0
jpertchikAuthor Commented:
ryansoto: Yes, i am using the public Internet. DSL 3/768 at the office location and either cable or DSL for my home users.

smckellar83: I agree on the speed thing but please elaborate on this issue: "Double check your DNS server is on the VPN adapter (or picked up through DHCP)".  VPN adapter? are you talking about my VPN device it's self or what you see on the client under "Network Connections"? Please bear with me as i am a VPN novice.

Thanks guys!

JPertchik
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

ryansotoCommented:
Its your connection.  When you traverse (or move through a file structure) you're using netbios which is a very slow protocol especially over a vpn, espcially over a vpn with your connection speed.
You need to upgrade your lines if the need justifies itself.  Personally I wouldnt use the public internet for vpn purposes its very slow.  Leased dedicated lines are much better
0
ChiefITCommented:
This may pertain to you:

Have you reviewed this article?
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060

An alternative fix is to update to SP2 on the machine.
0
jpertchikAuthor Commented:
ryansoto: If i were to upgrade my intermet connection at the office to T1 would that suffice if my users tunnelled in through thier cable or dsl connections at thier homes? Or do i need an actual point-to-point connection on oth ends?

Thanks.

jpertchik
0
ryansotoCommented:
Yes but you need a 2 part solution.  
1.  Dedicated good connection in your case the T1.  Depending on how many people work from home you masy want to look at 2 T1's (3mb)
Also depending on what your users do, opening files still may be slow.  If they open a 500k excel file on the file server and they expect it to take 3 seconds as if its on their local machine they are in a world of hurt.  That file will probably open in 25 seconds
2.  A good vpn solution.  You can use a pix501 and the cisco vpn client software and in your case that would be sufficient but think about the possibility of growth.  
Personally if your business may grow then you may want to look at a dedicated vpn solution something like this

http://products.nortel.com/go/product_content.jsp?segId=0&catId=null&parId=0&prod_id=53021&locale=en-US
0
jpertchikAuthor Commented:
Is a Cisco ASA5505 basically a PIX501? That is what i have been told.

Also, you were leading me towards Nortel. Are they more robust?

Are you saying that each of my remote useres should have a box at thier house as well and a dedicated connection(remote office scenario, rather than remote access)?

Thanks.

JPertchik
0
ryansotoCommented:
I am not familiar with the asa product line but essentially yes.
The nortel unit is designed to handle vpn traffic, its a seperate device rather than the ASA/Pix/router/firewall
The reason for this is your vpn users will see better speeds using a seperate device rather than the same router unit.
For the clients at their home office all they would need to do is install the vpn client software on their machine and click connect.  Once they connect they can get to all resources as if they were connected.

You dont need to go with a seperate vpn unit but for better throughput its my recommendation.
0
jpertchikAuthor Commented:
We are more than likely not going to buy a new VPN device. The real question at hand is if i get a T1 line here at the office, will my remote users see a difference in performance even though they are still going through cable and DSL?

Thanks.

JPertchik
0
ryansotoCommented:
Definately.

Their download speeds are much more than your T1 can push out so their connection isnt the limiting factor is the main offices.
0
jpertchikAuthor Commented:
OK...We're in the home stretch... T1 is beyond our reach monitarily unless we do Integrated Access (Phone and Data over Two Bonded T1s). I'm hesitant to do this as we will be putting all of our eggs in one basket. The other alternative would be cable. I have an offer on the table for 8MB down 1MB up for $100/month. Although this is not a dedicated line would it more than likely do the trick or am i wasting my time with cable?

Thanks.

JPertchik
0
ryansotoCommented:
Cable depends....Do you get a static IP?  If so then that setup is definately better what you currently have.
The bonded situation is really your call.  We have integrated access.
1 T1 for voice and 4 T1's for data
If you can get a good deal on 2 bonded it may be worthwhile but you would just need to do a cost analysis.

Also whats the downsode of having your remote clients use remote desktop into a terminal server for access?  This would definately allow you to use the cable internet service with no issues instaed of going leased lines....
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ChiefITCommented:
T1 seems to be overkill for just 30 clients. Of course you are going to see a bit better results with a T1, It's a larger pipe. When configured correctly, Broadband should work fine for you and still leave room for a little growth.

For troubleshooting the plumbing, call a plumber. CALL your phone company or ISP and have them look at data rate from their end. They can do data xfer tests from their end. I worked for the phone company and installed plenty of T1s. We tested the data rate on each unit and conditioned the lines for data xfer. The phone company or ISP owns these lines up to a D-Mark. Once they test the lines to the D-Mark, you can figure out your responsibilities to providing a good link.

You originally asked if there was a setting on the server that controls the MTU. Yes, there are. In fact, there is a little known discrepancy with a 2003 server update that can cause slow connections over a VPN. I think this article will point you in the right direction:  
http://support.microsoft.com/default.aspx?scid=kb;en-us;898060
0
jpertchikAuthor Commented:
My remote users are bringing thier laptops from work home so they don't have a computer to remote desktop with.
0
jpertchikAuthor Commented:
ryansoto: Your comments have been very informative. Thank you very much for your input. I appreciate it. I beleivethat if not Integrated access, cable definitely.

JPertchik
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VPN

From novice to tech pro — start learning today.