RenoGryphon
asked on
100MB VPN tunnel to Colo Slowness
We have moved our HQ to a new building and are using a 100MB VPN site-to-site tunnel as our primary until we get our 100 MB MPLS line terminated and up.
Our issue is any access to network resources at our Colo is incredibly sluggish. For example, Shared folders downloads are hitting speeds like 92KBs or maybe hitting 1-2MBs and will take 2-3 hours just to download a 300MB file.
We have an Hub and Spoke setup.
Here is an general overview:
HQ LAN ---> ASA 5512 100MB VPN endpoint ----> Colo 5510 endpoint
We have a 50MBs DS3 connection at our Colo.
Our issue is any access to network resources at our Colo is incredibly sluggish. For example, Shared folders downloads are hitting speeds like 92KBs or maybe hitting 1-2MBs and will take 2-3 hours just to download a 300MB file.
We have an Hub and Spoke setup.
Here is an general overview:
HQ LAN ---> ASA 5512 100MB VPN endpoint ----> Colo 5510 endpoint
We have a 50MBs DS3 connection at our Colo.
VPN uses the slow side upload speed. So if your line is DSL 100 megabits/sec down and 1 megabit/sec up, then what you see is entirely normal. You need a faster upload speed to fix this.
ASKER
Sorry, I did kind of rush when I was typing this.
Our main line at our Colo is a 50mbps connection. Our original HQ was using a DS3 line (45mbps), but the new HQ will be getting a MPLS 100mbps line. However, until that's is install, we are using site-to-site 100mbps VPN as our primary.
Excuse the typos from before, everything is in bits per second, not Bytes. Lol Don't want to want to seem like a total fool, at least not just yet.
Our main line at our Colo is a 50mbps connection. Our original HQ was using a DS3 line (45mbps), but the new HQ will be getting a MPLS 100mbps line. However, until that's is install, we are using site-to-site 100mbps VPN as our primary.
Excuse the typos from before, everything is in bits per second, not Bytes. Lol Don't want to want to seem like a total fool, at least not just yet.
ASKER
John,
As far as I aware the Internet connection we have is 100mbs Up and down. Let me just confirm this once more.
As far as I aware the Internet connection we have is 100mbs Up and down. Let me just confirm this once more.
Until you get your new MPLS, I think what you are seeing with the existing setup is normal.
If you are really getting 100 megabits both ways, check the MTU size.
Default MTU is 1500 which fragments VPN packets unduly. Set MTU to 1492 or a bit less and that may improve speed.
Default MTU is 1500 which fragments VPN packets unduly. Set MTU to 1492 or a bit less and that may improve speed.
ASKER
I was afraid you'd say that. The new MPLS won't be turned up for another 10 days. This company has kind screwed up their timing on everything. Is there anything we can do in the mean time?
Try adjusting MTU to see if you can get some improvement.
Still a little confused.
--> "Our main line at our Colo is a 50mbps connection"
--> "... we are using site-to-site 100mbps VPN as our primary."
Does this mean you have two network connections at the Colo, a 100 Mbps Internet connection that VPN tunnel goes over and then a second 50 Mbps connection that is used for something else?
Have you done a packet capture while doing a file open/copy/download?
VPN tunnels do cause problems with MTU and fragmentation.
What all goes over the VPN tunnel? Could it be overloaded? Could your Internet connection be overloaded?
--> "Our main line at our Colo is a 50mbps connection"
--> "... we are using site-to-site 100mbps VPN as our primary."
Does this mean you have two network connections at the Colo, a 100 Mbps Internet connection that VPN tunnel goes over and then a second 50 Mbps connection that is used for something else?
Have you done a packet capture while doing a file open/copy/download?
VPN tunnels do cause problems with MTU and fragmentation.
What all goes over the VPN tunnel? Could it be overloaded? Could your Internet connection be overloaded?
ASKER
50mbps (Windstream line) ---> Colo data center ----> soon to be 100mbps mpls ( Windstream) ---> HQ
Current primary line until
50mbps ---> Colo---> 100mbps VPN Asa 5512 ---> Colo Asa 5510 ---> Colo data Center
Current primary line until
50mbps ---> Colo---> 100mbps VPN Asa 5512 ---> Colo Asa 5510 ---> Colo data Center
ASKER
Im heading to our HQ now. I'll do some packet capturing once I'm there.
Sorry, still confused. You seem to show two Colo connections. Could you fill in the values for each S# with the speed of each network connection?
Colo server <-- S1 --> Colo ASA <-- S2 --> Internet <-- S3 --> HQ ASA <-- S4 -->
S1 =
S2 =
S3 =
S4 =
Right now to me it seems like somewhere you have a 50 Mbps connection, which would limit your max. transfer to 50 Mbps, which is still way faster than you are currently getting.
Colo server <-- S1 --> Colo ASA <-- S2 --> Internet <-- S3 --> HQ ASA <-- S4 -->
S1 =
S2 =
S3 =
S4 =
Right now to me it seems like somewhere you have a 50 Mbps connection, which would limit your max. transfer to 50 Mbps, which is still way faster than you are currently getting.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
It resolved the initial problem?
First big B means bytes and little b means bits. I doubt very much you have a 100 MByte per second or a 50MByte per second connection. My guess is they are 100 Mbits or 50 Mbits per second.
Also need to verify what you connections are. A DS3 is a 45Mbps link, not 50 Mbps. A 45Mbps link can have a maximum of 4.5MBytes per second. So at the Colo is it a 45Mbps DS3?
What speed link do you have at your HQ?
When you stated your throughput is maxing out at 1-2MBs did you really mean 1-2MBytes per second or did you mean 1-2Mbits per second?