We help IT Professionals succeed at work.

Firebox X550e fast Term Serv - Slow Fileshare

2,709 Views
Last Modified: 2013-11-21
I'm a new administrator for a company in St.Louis.  Between two office locations (geographically seperated by 15 miles), we have a tunnel with an X550e on one side and an X700 on the other.  The two devices are communicating well with each other.  However, my users have to use Terminal Services to work between the two locations.  This connection speed is fast and works well.  But I don't understand why they just can't use their VPN connection.

In other words, drag and drop, communication to the server on either end is horrendously slow, file transfer, email updates, etc... unworkable because its too slow.  We have a T1 going out and coming in to each location.. there should be plenty of bandwith available.  Obviously the rdp protocol is working... term serv is fast, fast, fast!!  

So my question is.... where do I begin to troubleshoot why file transfers are slow between the two locations outside of the terminal serv?  Is there a protocol or port or bandwith throttle inherrent in watchguard that has to be enabled?  Solving this problem would probably garner me a raise in my newfound job.  PLEASE HELP!
Comment
Watch Question

CERTIFIED EXPERT
Top Expert 2007

Commented:
Please check if there is ANY service created between the subnets to allow VPN traffic; or there is a specific service; also I would like to check if the MTU is causing the problem [In Policy Manager, go to Network->Configuration; click External; Configure->Advanced; DF bit setting for IPSec change from Copy to clear; save to firebox].

Please check and update about the results.

Thank you.

Author

Commented:
I will check first thing in the am.  Thank you for responding.

Author

Commented:
Ok, I checked my settings... and the DF Bit is currently selected at COPY.  What is the expected result by setting to CLEAR?

Additionally there are 12 policies in place:
FTP
HTTP
RDP
Ping
Watchguard IPsec
Watchguard
Outgoing
BOVPN - Allow out
BOVPN - Allow in
Tunnel traffic out
Tunnel traffic in
Any Optional 1
CERTIFIED EXPERT
Top Expert 2007

Commented:
Let me take an example to explain:
Let us say when the peers negotiate SA for VPN, they also negotite path MTU, as 1400; also they decide that at this MTU all the packets would be sent with DF (don't fragment) bit set,
If such is the case, then the IPSec communication would also proceed with the same DF bit settings.
When we set DF to clear; the FB has the flexibility to fragment the IPSec packets if needed.
Many a times fragmentation is needed for the communication to proceed.

I think you have used VPN wizard ti create tunnel; hence the name BOVPN - Allow in/out; this is paractise is ANY service; you can edit the service and go to Properties tab; you would notice for Port/Protocol Any is mentioned. This allows traffic between the ends on all ports/protocols.

Please advice if making the above change if any improvement is seen.

Thank you.

Author

Commented:
Ok, I tried your suggestion above to enable the CLEAR in DFI.  This did not help.  I did however grab this line from my traffic monitor:

2008-07-22 15:01:31 Deny 10.0.2.254 192.168.0.33 icmp-Dest_Unreach code(3)   Firebox tunnel.1/IPsec icmp error with data src_ip=192.168.0.33 dst_ip=10.0.2.254 pr=netbios-ns/udp src_port=137 dst_port=137 src_intf='0-External' dst_intf='0'  cannot match any flow, drop this packet 106 64 (internal policy)  13  

I get this message when trying to transfer a file from one server to a desktop in my remote location.  A 30MB file was going to take 30 minutes!  It finally times out...   It appears I'm having a problem with port 137?  
CERTIFIED EXPERT
Top Expert 2007

Commented:
>> 10.0.2.254 192.168.0.33
Above log indicates that the firebox is not able to match the traffic with any existing flow/policy and is deliberately dropping it.

As you have any services opened between the subnets this should all traffic; by default the BOVPN-Allow service is created as:
From tunnel-name; to ANY
Can you change it to reflect as below:
Allow-in
From Remote-subnet; to local-subnet
Allow-out
From local-subnet; to remote-subnet

Save to firebox and check if this makes any difference.

Thank you.

Author

Commented:
I will try as you suggested... however, somehow I was able to get that error message to disapear.  But, my question now relates to speed.  Perhaps everything was setup correctly... here is my follow on question.

My initial problem was speed.  I have a T1 (1.5MB) connected between my two offices.  I am attempting to transfer a 30mb file between the two offices via a VPN tunnel.  When its actually downloading, it initiatly says 20min... drops to 10min and usually gets done in 6-7min or a little less.  In a perfect world... that should equate to about a 3min transfer rate.  However, this 6-7 minute transfer rate would include latency and overhead instead?  If you agree I'm correct... than I guess I've wasted your time... which I really hope I'm not...

but if not, what do you think my download time should be for a 30 mb file across a T1?

I will try your suggestion in the morning and report back my findings...  I'll keep my fingers crossed.
CERTIFIED EXPERT
Top Expert 2007

Commented:
I would agreee with you that 6-7 minutes is good enough; it depends on the amount of encryption you are doing; if you use 3DES or use AES-256 there would be difference in the speed; both device need to encrypt and de-crypt each packet and this introduces some latency. Although FB devices have hardware acceleration but still latency is expected.

You cannot expect the same speed which you might otherwise get when doing FTP; if you have noticed on the same link if you were to do scp instead of FTP; the speed drastically reduces.
Now think about a solution where we have encryption/authentication/DH keys maintained; device need to first encrypt the packet; the receiver needs to authenticate, establish session, decrypt and finally forward the packet.

Hope I am able to clarify.

Thank you.

Author

Commented:
What would be faster for encryption?  3DES or AES-256?
CERTIFIED EXPERT
Top Expert 2007
Commented:
This one is on us!
(Get your first solution completely free - no credit card required)
UNLOCK SOLUTION

Author

Commented:
Thank you for all your time.  I'm going to go ahead and close this ticket out as complete.  Thank you for all your help.  I guess, the transfer speed is correct for T1... just seems like it would be faster.
CERTIFIED EXPERT
Top Expert 2007

Commented:
You are welcome, happy I could be of assistance.
Unlock the solution to this question.
Join our community and discover your potential

Experts Exchange is the only place where you can interact directly with leading experts in the technology field. Become a member today and access the collective knowledge of thousands of technology experts.

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.