Avatar of boom132
 asked on

Firebox X550e fast Term Serv - Slow Fileshare

I'm a new administrator for a company in St.Louis.  Between two office locations (geographically seperated by 15 miles), we have a tunnel with an X550e on one side and an X700 on the other.  The two devices are communicating well with each other.  However, my users have to use Terminal Services to work between the two locations.  This connection speed is fast and works well.  But I don't understand why they just can't use their VPN connection.

In other words, drag and drop, communication to the server on either end is horrendously slow, file transfer, email updates, etc... unworkable because its too slow.  We have a T1 going out and coming in to each location.. there should be plenty of bandwith available.  Obviously the rdp protocol is working... term serv is fast, fast, fast!!  

So my question is.... where do I begin to troubleshoot why file transfers are slow between the two locations outside of the terminal serv?  Is there a protocol or port or bandwith throttle inherrent in watchguard that has to be enabled?  Solving this problem would probably garner me a raise in my newfound job.  PLEASE HELP!
Microsoft Server OSVPNSoftware Firewalls

Avatar of undefined
Last Comment

8/22/2022 - Mon

Please check if there is ANY service created between the subnets to allow VPN traffic; or there is a specific service; also I would like to check if the MTU is causing the problem [In Policy Manager, go to Network->Configuration; click External; Configure->Advanced; DF bit setting for IPSec change from Copy to clear; save to firebox].

Please check and update about the results.

Thank you.

I will check first thing in the am.  Thank you for responding.

Ok, I checked my settings... and the DF Bit is currently selected at COPY.  What is the expected result by setting to CLEAR?

Additionally there are 12 policies in place:
Watchguard IPsec
BOVPN - Allow out
BOVPN - Allow in
Tunnel traffic out
Tunnel traffic in
Any Optional 1
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck

Let me take an example to explain:
Let us say when the peers negotiate SA for VPN, they also negotite path MTU, as 1400; also they decide that at this MTU all the packets would be sent with DF (don't fragment) bit set,
If such is the case, then the IPSec communication would also proceed with the same DF bit settings.
When we set DF to clear; the FB has the flexibility to fragment the IPSec packets if needed.
Many a times fragmentation is needed for the communication to proceed.

I think you have used VPN wizard ti create tunnel; hence the name BOVPN - Allow in/out; this is paractise is ANY service; you can edit the service and go to Properties tab; you would notice for Port/Protocol Any is mentioned. This allows traffic between the ends on all ports/protocols.

Please advice if making the above change if any improvement is seen.

Thank you.

Ok, I tried your suggestion above to enable the CLEAR in DFI.  This did not help.  I did however grab this line from my traffic monitor:

2008-07-22 15:01:31 Deny icmp-Dest_Unreach code(3)   Firebox tunnel.1/IPsec icmp error with data src_ip= dst_ip= pr=netbios-ns/udp src_port=137 dst_port=137 src_intf='0-External' dst_intf='0'  cannot match any flow, drop this packet 106 64 (internal policy)  13  

I get this message when trying to transfer a file from one server to a desktop in my remote location.  A 30MB file was going to take 30 minutes!  It finally times out...   It appears I'm having a problem with port 137?  

Above log indicates that the firebox is not able to match the traffic with any existing flow/policy and is deliberately dropping it.

As you have any services opened between the subnets this should all traffic; by default the BOVPN-Allow service is created as:
From tunnel-name; to ANY
Can you change it to reflect as below:
From Remote-subnet; to local-subnet
From local-subnet; to remote-subnet

Save to firebox and check if this makes any difference.

Thank you.
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.

I will try as you suggested... however, somehow I was able to get that error message to disapear.  But, my question now relates to speed.  Perhaps everything was setup correctly... here is my follow on question.

My initial problem was speed.  I have a T1 (1.5MB) connected between my two offices.  I am attempting to transfer a 30mb file between the two offices via a VPN tunnel.  When its actually downloading, it initiatly says 20min... drops to 10min and usually gets done in 6-7min or a little less.  In a perfect world... that should equate to about a 3min transfer rate.  However, this 6-7 minute transfer rate would include latency and overhead instead?  If you agree I'm correct... than I guess I've wasted your time... which I really hope I'm not...

but if not, what do you think my download time should be for a 30 mb file across a T1?

I will try your suggestion in the morning and report back my findings...  I'll keep my fingers crossed.

I would agreee with you that 6-7 minutes is good enough; it depends on the amount of encryption you are doing; if you use 3DES or use AES-256 there would be difference in the speed; both device need to encrypt and de-crypt each packet and this introduces some latency. Although FB devices have hardware acceleration but still latency is expected.

You cannot expect the same speed which you might otherwise get when doing FTP; if you have noticed on the same link if you were to do scp instead of FTP; the speed drastically reduces.
Now think about a solution where we have encryption/authentication/DH keys maintained; device need to first encrypt the packet; the receiver needs to authenticate, establish session, decrypt and finally forward the packet.

Hope I am able to clarify.

Thank you.

What would be faster for encryption?  3DES or AES-256?
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes

View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.

Thank you for all your time.  I'm going to go ahead and close this ticket out as complete.  Thank you for all your help.  I guess, the transfer speed is correct for T1... just seems like it would be faster.

You are welcome, happy I could be of assistance.