Solved

VPN Speeds

Posted on 2014-02-05
20
271 Views
Last Modified: 2014-07-24
I have a user in Atlanta connected back to my office in PA. She has Business Class Internet from Comcast pulling 25d/25u. We have a Fiber connection to Windstream getting 20d/20u.

She has a Cisco 871 router that uses VPN to connect back to my ASA5510. Connection is solid as we use VoIP. When i upload a file from her computer in GA to my network, the speed is around 35k.

I know there is some overhead running traffic though a VPN, but that seems excessive.

Any thoughts on where to start?
0
Comment
Question by:bcrosby007
  • 9
  • 8
  • 2
  • +1
20 Comments
 
LVL 3

Expert Comment

by:ArronG
Comment Utility
It could be a huge range of things....
Could be anything from dual routes on the router site causing a delay or dropping packets, faulty duplex setting on computer NIC to the switch routes on local PC. Possibly a desktop issue, lots and lots to explore.
It may be a QoS or packet/bandwidth shaping incorrect configuration on the routers??

As a start, run a tracert from one PC to the other and see if the results are going down the right routing path and in right direction.
Have you noticed any significant delay or loss of packets from a continual ping ?
Also, download and run LanSpeedTestLite from totusoft and transfer a 20Mb file to see what the results are.

ArronG
0
 
LVL 7

Author Comment

by:bcrosby007
Comment Utility
This is the config for the Cisco 871 VPN
crypto ipsec client ezvpn ASA
 connect auto
 group REMOTE key xxxxxxx
 mode network-extension
 peer xxx.xxx.xxx.xxx
 username remote2 password xxxxxx
 xauth userid mode local
!

Open in new window


interface FastEthernet4
 ip address dhcp
 ip access-group 101 in
 ip mtu 1492
 ip nat outside
 ip inspect OUTSIDE out
 ip virtual-reassembly
 ip tcp adjust-mss 542
 duplex auto
 speed auto
 crypto ipsec client ezvpn ASA
 max-reserved-bandwidth 100
 service-policy output shapevpn2

Open in new window

0
 
LVL 7

Author Comment

by:bcrosby007
Comment Utility
If i Tracert from my office in PA to hers in Atlanta, it hits my default gateway, then immediately hits hers.
0
 
LVL 3

Expert Comment

by:ArronG
Comment Utility
Use the totusoft software to try a speed test between systems.
Also, try the test from the Atlanta PC to another PC in the Atlanta office in case it's a LAN issue rather than VPN related.
0
 
LVL 7

Author Comment

by:bcrosby007
Comment Utility
Here is what i got..

Totusoft results
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Unless there is a specific reason you have such a low MSS, I would suggest you increase it.  You have:

     ip tcp adjust-mss 542

I would suggest at least 1000.  Not sure where you got 542 from.

What this does is reduce the max. number of bytes sent in a TCP packet from about 1452 down to 542.  This means if your are doing something like say a speed test, for every 1 packet you would normally send you are going to send 3.  This means you have 3 times the overhead.
0
 
LVL 7

Author Comment

by:bcrosby007
Comment Utility
Where all do i have to change this? Just on the 871 router or could this be on the ASA as well?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Do you have  ip tcp adjust-mss coded on the ASA?
0
 
LVL 7

Author Comment

by:bcrosby007
Comment Utility
No. It was just on the F4 interface on the 871 router. I changed the ip tcp adjust-mss to 1350 based on what i set the MTU to (1400). Make sense? Dont they kind of do the same thing?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Do you know why the adjust-mss is there to start with?  I would suggest you try to find that out first.

Where to you set the MTU to 1400?  If your MTU is 1400, then you should be able to set mss to 1360.

You may need to play around with it doing as much testing as you can to make sure you don't break anything.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 7

Author Comment

by:bcrosby007
Comment Utility
No idea. the phone company set that number up for me. Not sure if it had something to do with VoIP or not. I changed it, and will test shortly.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Are you doing VoIP over the Internet, over the VPN tunnel, or both?

Since you mentioned VoIP, do you have QOS setup?
0
 
LVL 7

Author Comment

by:bcrosby007
Comment Utility
Just over the VPN tunnel. all of her calls rout through our phone system in PA.
There is some QOS set up. I believe this is it..
From what I read, VoIP uses UDP, not tcp. And the MSS only affects tcp, correct?
policy-map v3pn2
  class voice
  priority 80
  class signal
  bandwidth 16
  class inetcontrol
  bandwidth 24
  class class-default
  fair-queue
  queue-limit 15
policy-map shapevpn2
  class class-default
  shape average 768000
  service-policy v3pn2

Open in new window

0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Correct, mss only affect tcp.  However somebody may have reduced the mss to help less the impact the tcp traffic will have on the VoIP traffic or due to the speed of the link.

Not sure but something in the 500 range used to be used for "slow" links.  Over time the definition of "slow" has changed.  I would say with your "slow" side being 20 Mbps that you can easily raise the mss to somewhere in the 1000-1300 range.
0
 
LVL 7

Expert Comment

by:avcontrol
Comment Utility
You should lower your MTU to about 1300+ on VPN interfaces on both ends.
Run speed test PC-PC across VPN verify effect.
0
 
LVL 7

Author Comment

by:bcrosby007
Comment Utility
I ran a LAN speed test with a 5mb file.
Download speed was 7Mbps
Upload speed was .67 Mbps

It seems faster, but shouldnt the upload be alot better?
0
 
LVL 57

Accepted Solution

by:
giltjr earned 500 total points
Comment Utility
It should be.  What you may want to do is get Wireshark, and run a packet capture for to make sure when doing upload you are getting a larger packet size.

The 5MB file is more than large enough to see that you are getting the larger packet size.

For a real performance test though you would need to make sure nobody else is using the link and transfer a much larger file, like 500MB.

TCP has what is called "slow start", which means it sends a little bit of data, waits to see how long it takes to get an ACK back, sends a little more, waits for ACK.  It does this slowly increasing the amount of data it sends before waiting.  This takes anywhere between 10 and 30 seconds to get up to the point where the TCP can take full advantage of fast link.  The idea is not to saturate a slow link to the point packets start getting dropped.

When doing "speed" tests the faster the link, the larger the file must be in order to really push the link.  In your case if the link was running perfectly the "slow" side is 20Mbps, which translates to about 2MB a second.  Even at only 7 Mbps a 5 MB file will take roughly 6-7 seconds to transfer.  No where nearly long enough to take advantage of the link speed.
0
 
LVL 7

Author Comment

by:bcrosby007
Comment Utility
Just ran with a 20MB file, and received the same results.
I just don't get the upload. I am fine with 20 seconds to download a 20MB file. But it took 231 seconds to upload 20MB.
We pay for 20/20 at my office but get more like 20/80 (weird, i know). And the user in ATL gets 25/25 on Business Comcast.

The up should be basically the same as the down.

Snip
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Did you run a packet capture?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Also, could you setup a FTP server and run the test using FTP.

It looks like that test uses CIFS/Samba which has network performance issues to start with.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now