boom132
asked on
Firebox X550e fast Term Serv - Slow Fileshare
I'm a new administrator for a company in St.Louis. Between two office locations (geographically seperated by 15 miles), we have a tunnel with an X550e on one side and an X700 on the other. The two devices are communicating well with each other. However, my users have to use Terminal Services to work between the two locations. This connection speed is fast and works well. But I don't understand why they just can't use their VPN connection.
In other words, drag and drop, communication to the server on either end is horrendously slow, file transfer, email updates, etc... unworkable because its too slow. We have a T1 going out and coming in to each location.. there should be plenty of bandwith available. Obviously the rdp protocol is working... term serv is fast, fast, fast!!
So my question is.... where do I begin to troubleshoot why file transfers are slow between the two locations outside of the terminal serv? Is there a protocol or port or bandwith throttle inherrent in watchguard that has to be enabled? Solving this problem would probably garner me a raise in my newfound job. PLEASE HELP!
In other words, drag and drop, communication to the server on either end is horrendously slow, file transfer, email updates, etc... unworkable because its too slow. We have a T1 going out and coming in to each location.. there should be plenty of bandwith available. Obviously the rdp protocol is working... term serv is fast, fast, fast!!
So my question is.... where do I begin to troubleshoot why file transfers are slow between the two locations outside of the terminal serv? Is there a protocol or port or bandwith throttle inherrent in watchguard that has to be enabled? Solving this problem would probably garner me a raise in my newfound job. PLEASE HELP!
ASKER
I will check first thing in the am. Thank you for responding.
ASKER
Ok, I checked my settings... and the DF Bit is currently selected at COPY. What is the expected result by setting to CLEAR?
Additionally there are 12 policies in place:
FTP
HTTP
RDP
Ping
Watchguard IPsec
Watchguard
Outgoing
BOVPN - Allow out
BOVPN - Allow in
Tunnel traffic out
Tunnel traffic in
Any Optional 1
Additionally there are 12 policies in place:
FTP
HTTP
RDP
Ping
Watchguard IPsec
Watchguard
Outgoing
BOVPN - Allow out
BOVPN - Allow in
Tunnel traffic out
Tunnel traffic in
Any Optional 1
Let me take an example to explain:
Let us say when the peers negotiate SA for VPN, they also negotite path MTU, as 1400; also they decide that at this MTU all the packets would be sent with DF (don't fragment) bit set,
If such is the case, then the IPSec communication would also proceed with the same DF bit settings.
When we set DF to clear; the FB has the flexibility to fragment the IPSec packets if needed.
Many a times fragmentation is needed for the communication to proceed.
I think you have used VPN wizard ti create tunnel; hence the name BOVPN - Allow in/out; this is paractise is ANY service; you can edit the service and go to Properties tab; you would notice for Port/Protocol Any is mentioned. This allows traffic between the ends on all ports/protocols.
Please advice if making the above change if any improvement is seen.
Thank you.
Let us say when the peers negotiate SA for VPN, they also negotite path MTU, as 1400; also they decide that at this MTU all the packets would be sent with DF (don't fragment) bit set,
If such is the case, then the IPSec communication would also proceed with the same DF bit settings.
When we set DF to clear; the FB has the flexibility to fragment the IPSec packets if needed.
Many a times fragmentation is needed for the communication to proceed.
I think you have used VPN wizard ti create tunnel; hence the name BOVPN - Allow in/out; this is paractise is ANY service; you can edit the service and go to Properties tab; you would notice for Port/Protocol Any is mentioned. This allows traffic between the ends on all ports/protocols.
Please advice if making the above change if any improvement is seen.
Thank you.
ASKER
Ok, I tried your suggestion above to enable the CLEAR in DFI. This did not help. I did however grab this line from my traffic monitor:
2008-07-22 15:01:31 Deny 10.0.2.254 192.168.0.33 icmp-Dest_Unreach code(3) Firebox tunnel.1/IPsec icmp error with data src_ip=192.168.0.33 dst_ip=10.0.2.254 pr=netbios-ns/udp src_port=137 dst_port=137 src_intf='0-External' dst_intf='0' cannot match any flow, drop this packet 106 64 (internal policy) 13
I get this message when trying to transfer a file from one server to a desktop in my remote location. A 30MB file was going to take 30 minutes! It finally times out... It appears I'm having a problem with port 137?
2008-07-22 15:01:31 Deny 10.0.2.254 192.168.0.33 icmp-Dest_Unreach code(3) Firebox tunnel.1/IPsec icmp error with data src_ip=192.168.0.33 dst_ip=10.0.2.254 pr=netbios-ns/udp src_port=137 dst_port=137 src_intf='0-External' dst_intf='0' cannot match any flow, drop this packet 106 64 (internal policy) 13
I get this message when trying to transfer a file from one server to a desktop in my remote location. A 30MB file was going to take 30 minutes! It finally times out... It appears I'm having a problem with port 137?
>> 10.0.2.254 192.168.0.33
Above log indicates that the firebox is not able to match the traffic with any existing flow/policy and is deliberately dropping it.
As you have any services opened between the subnets this should all traffic; by default the BOVPN-Allow service is created as:
From tunnel-name; to ANY
Can you change it to reflect as below:
Allow-in
From Remote-subnet; to local-subnet
Allow-out
From local-subnet; to remote-subnet
Save to firebox and check if this makes any difference.
Thank you.
Above log indicates that the firebox is not able to match the traffic with any existing flow/policy and is deliberately dropping it.
As you have any services opened between the subnets this should all traffic; by default the BOVPN-Allow service is created as:
From tunnel-name; to ANY
Can you change it to reflect as below:
Allow-in
From Remote-subnet; to local-subnet
Allow-out
From local-subnet; to remote-subnet
Save to firebox and check if this makes any difference.
Thank you.
ASKER
I will try as you suggested... however, somehow I was able to get that error message to disapear. But, my question now relates to speed. Perhaps everything was setup correctly... here is my follow on question.
My initial problem was speed. I have a T1 (1.5MB) connected between my two offices. I am attempting to transfer a 30mb file between the two offices via a VPN tunnel. When its actually downloading, it initiatly says 20min... drops to 10min and usually gets done in 6-7min or a little less. In a perfect world... that should equate to about a 3min transfer rate. However, this 6-7 minute transfer rate would include latency and overhead instead? If you agree I'm correct... than I guess I've wasted your time... which I really hope I'm not...
but if not, what do you think my download time should be for a 30 mb file across a T1?
I will try your suggestion in the morning and report back my findings... I'll keep my fingers crossed.
My initial problem was speed. I have a T1 (1.5MB) connected between my two offices. I am attempting to transfer a 30mb file between the two offices via a VPN tunnel. When its actually downloading, it initiatly says 20min... drops to 10min and usually gets done in 6-7min or a little less. In a perfect world... that should equate to about a 3min transfer rate. However, this 6-7 minute transfer rate would include latency and overhead instead? If you agree I'm correct... than I guess I've wasted your time... which I really hope I'm not...
but if not, what do you think my download time should be for a 30 mb file across a T1?
I will try your suggestion in the morning and report back my findings... I'll keep my fingers crossed.
I would agreee with you that 6-7 minutes is good enough; it depends on the amount of encryption you are doing; if you use 3DES or use AES-256 there would be difference in the speed; both device need to encrypt and de-crypt each packet and this introduces some latency. Although FB devices have hardware acceleration but still latency is expected.
You cannot expect the same speed which you might otherwise get when doing FTP; if you have noticed on the same link if you were to do scp instead of FTP; the speed drastically reduces.
Now think about a solution where we have encryption/authentication/
Hope I am able to clarify.
Thank you.
You cannot expect the same speed which you might otherwise get when doing FTP; if you have noticed on the same link if you were to do scp instead of FTP; the speed drastically reduces.
Now think about a solution where we have encryption/authentication/
Hope I am able to clarify.
Thank you.
ASKER
What would be faster for encryption? 3DES or AES-256?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you for all your time. I'm going to go ahead and close this ticket out as complete. Thank you for all your help. I guess, the transfer speed is correct for T1... just seems like it would be faster.
You are welcome, happy I could be of assistance.
Please check and update about the results.
Thank you.