asked on

Site-to-site vpn - LAB - slow?

Hi,

to practice vpns I setup a small lab like this:

LAPTOP1 ----- ASA5505 --------- ZYXEL_USG50--------LAPTOP2

Stie to site vpn work fine, ping works great (1-2ms) but when I try to copy a file, it is slow. It is around 1-2 MB/s even though they are connected via 100Mb/s directly...

I know it is VPN, I am using AES but it is really slow... I get only around 10% of the bandwidth of this link really, as 100Mb/s = 12.5MB...

Any ideas? In the real life I never paid attention to it, vpn works and that's it... ;-)

RPPreacher

CIFS (SMB) is pretty chatty and inefficient; you will never use 100% of BW using SMB. sMB v2 (Windows 7 to Windows 7) and FTP are both better options to utilize bw.

John

VPN is slow because traffic tends to move on the slow part of the DSL bandwidth. That is, if your download is fast, the file copy going the other way is uploading and so is slow.

The one thing that does affect VPN on DSL is the MTU size. Set the MTU size on the routers at both ends to 1492 or a bit less. Default is 1500. .... Thinkpads_User

RPPreacher

Dsl??? Um, the author said 100mb direct connection

John

Yes, I read that after. But I will still check MTU sizes to see if they make any difference.

... Thinkpads_User

ASKER CERTIFIED SOLUTION

dcj21

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

Qlemo

The Zyxel can handle 90Mbit/s of VPN traffic, as Zyxel stated - but that does not say which encryption parameters they measure that with. AES should be fast, but there are not figures available showing that.
Further, the UTM part is only capable of 24Mbit/s, so maybe UTM features are applied to the VPN, slowing down performance.

m1979

ASKER

Thank you, yes counters are increasing on asa and zyxel, vpn is working fine.

There are NO services enabled on Zyxel. Will check duplex/speed today and let you know.

Thanks guys!

m1979

ASKER

I checked on Zyxel and it shows:

Router# show port status
Port Status TxPkts RxPkts Colli. TxB/s RxB/s Up Time
===============================================================================
1 100M/Full 127390 126785 0 0 0 184:54:38

So it is in full duplex and 100Mb...

MTU is 1500

m1979

ASKER

Ok so what I did, I reconfigured my devices in a way that I can ROUTE between ASA and Zyxel, no VPNs. And... the speed is still very low. It is not as bad as it was, but still...

So the problem was/is not with VPNs but somewhere in these devices? No NAT is setup, no additional features enabled...

And when I try to copy a file, it shows around 30Mb/s even though it is 100Mb/s :(

John

Assuming you have VPN still connected, 30Mb/sec is actually fairly decent (nothing will run at the full 100Mb/sec). Try a smaller MTU to see if there is any difference as VPN likes to fragment packets.
... Thinkpads_User

m1979

ASKER

no, 30Mb/s is WITHOUT vpn, just a static route from one firewall to another

SOLUTION

John

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

dcj21

Check the configuration to make sure it's set as 100M full on both devices, if it says auto, force them to 100 full

RPPreacher

>File Copy (Windows) has copy overhead related to Windows Explorer browse activities and that slows things down as well.

Same thing I said on first post.

John

>>> Same thing I said on first post. Yes. In my comment, it was purely explanatory to trying a different transfer method.

m1979

ASKER

Thanks thinkpads_user

I tried FTP: 5MB/s = 40Mb/s

Better but still 40% of my link only. I am curious why it is happening. I would accept 10-20% but not 60% decrease...

John

Another file copy application is SyncBack Pro. It has a free trial and you might give it a whirl. ... Thinkpads_User

SOLUTION

ArneLovius

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

m1979

ASKER

Fair enought ArneLovius, but my users will just copy files so this is really important.

What I want to know: is it normal or should I look for a solution?

Qlemo

You should get a Ethernet capture, e.g with Wireshark, to analyze whether the IP exchange is ok, in particular in regard of retries, duplicate Acks, or other anomalies. Having a non-VPN, ethenernet type connection with that throughput is not normal. MTU restrictions could still apply, leading to unnecessary fragmentation (increasing the traffic overhead) and more processing.

John

The file copy software I mentioned uses compression during copy so it speeds things up. ... Thinkpads_User

ArneLovius

completely understand why you want to test file copy speeds as that is what it will be used for, but to for testing the bandwidth, iperf is the way forward, you can then make changes to the VPN config and retest knowing that the test is repeatable, once you have the VPN working as best as you can get it, then try your file copy test.

m1979

ASKER

Iperf showed the same:

[ ID] Interval Transfer Bandwidth
[128] 0.0- 2.1 sec 9.54 MBytes 37.4 Mbits/sec

Any ideas please?

m1979

ASKER

Thanks guys. I decided to check the laptops as well and when I connected another laptop - it was really ok 6-7MB/s... I think sth was wrong with one laptop... nic card was set up in 100/duplex but... well...

THANKS!

John

Thank you. I was pleased to assist. .... Thinkpads_User

dcj21

Yep, that auto-detect the speed and duplex doesn't always work right. I've seen it enough that know It's one of the first things I test on 'slow, but working' connections - set the speed and duplex manually.

I also recommend setting servers manually from the start since you know they will be around for awhile. Desktop ports I leave as auto unless there is an issue.