Adtran
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
mitch42
New Contributor
‎06-16-2014 11:17 AM

Slow VPN?

Jump to solution

I have a hub and spoke network setup.  The corporate location has a NetVanta 6355 with three 3120s connecting to it VPN.  I want to know what data rates should I see to the 3120s.

All of the 3120 and 6355 are running R10.11.0.E.  The 3120s are connected to 35/5 cable modem and the 6355 is 20/20 fiber.  At best I'm getting 300KBps when I copy a file.  This was at night when everyone else was gone and after I tweaked the TCP/IP settings on both locations to maximize MTU etc..

0 Kudos
Reply
1 Solution

Accepted Solutions
jayh
Honored Contributor
Honored Contributor
‎06-17-2014 11:44 AM

Re: Slow VPN?

Jump to solution

mitch42 wrote:



By 'maximize' I meant setting the MTU to the largest it can be without fragmentation.  That is 1464 bytes over the VPN.  The data rate is kilo-Bytes, I didn't get the B right on the first post..but the 3120 should do 1Mbit over VPN and I'm not getting half that at ~300KBps, I'm not sure what the 6355 will do over VPN.  I'm doing this testing after hours so there is minimal traffic on the connections.



One byte is eight bits. If you are getting throughput of 300 kilobytes per second, that is equal to 2.4 megabits per second which is pretty respectable.  If you are uploading from the cable connection, their rated speed of 5 mbps may be a bit optimistic. If your phone system uses the VPN for RTP traffic, there is considerable CPU overhead in encrypting and decrypting many small packets.

One thing you can do is to look at the interface stats during a five-minute file transfer and look at the actual bits-per-second in and out.

View solution in original post

0 Kudos
Reply
5 Replies
jayh
Honored Contributor
Honored Contributor
‎06-16-2014 11:53 PM

Re: Slow VPN?

Jump to solution

In some cases you need to reduce MTU due to the crypto overhead, not maximize it.  Especially if your cable modem is PPPoE which often comes with a 4-byte penalty.

Are you sure you are seeing 300 kbps (bits per second) and not 300 kBps (Bytes per second)?  Possibly things are being fragmented, check with Wireshark.

ip crypto ffe command may also help if router CPU is high.

0 Kudos
Accept as Solution Reply
mitch42
New Contributor
‎06-17-2014 10:43 AM

Re: Slow VPN?

Jump to solution

By 'maximize' I meant setting the MTU to the largest it can be without fragmentation.  That is 1464 bytes over the VPN.  The data rate is kilo-Bytes, I didn't get the B right on the first post..but the 3120 should do 1Mbit over VPN and I'm not getting half that at ~300KBps, I'm not sure what the 6355 will do over VPN.  I'm doing this testing after hours so there is minimal traffic on the connections.

I have looked into ffe option and found this:

     As of R10.4.0, FFE is enabled on all supported IP interfaces by default.  (https://supportforums.adtran.com/docs/DOC-5062)

When I try to set 'ip crypto ffe' on the 6355 I get: %IPSec FFE is unavailable; VPN hardware acceleration module not installed.

On the 3120s I don't get any response and the 'ip crypto ffe' or 'ip ffe' doesn't show in 'show run'

I'm getting about 40% CPU on the 5 min ave load during our normal use (IP phone system uses the VPN along with folder redirection)

0 Kudos
Accept as Solution Reply
jayh
Honored Contributor
Honored Contributor
‎06-17-2014 11:44 AM

Re: Slow VPN?

Jump to solution

mitch42 wrote:



By 'maximize' I meant setting the MTU to the largest it can be without fragmentation.  That is 1464 bytes over the VPN.  The data rate is kilo-Bytes, I didn't get the B right on the first post..but the 3120 should do 1Mbit over VPN and I'm not getting half that at ~300KBps, I'm not sure what the 6355 will do over VPN.  I'm doing this testing after hours so there is minimal traffic on the connections.



One byte is eight bits. If you are getting throughput of 300 kilobytes per second, that is equal to 2.4 megabits per second which is pretty respectable.  If you are uploading from the cable connection, their rated speed of 5 mbps may be a bit optimistic. If your phone system uses the VPN for RTP traffic, there is considerable CPU overhead in encrypting and decrypting many small packets.

One thing you can do is to look at the interface stats during a five-minute file transfer and look at the actual bits-per-second in and out.

0 Kudos
Reply
Anonymous
Not applicable
‎07-07-2014 04:26 PM

Re: Slow VPN?

Jump to solution

Mitch,

I just wanted to check back in with you to see if you are still having problems.  If so, feel free to respond with any additional questions you may have here, but this may be something too difficult to troubleshoot within a forum post.  If you are getting 2.4Mbps as Jay mentioned, I would say that is very good throughput for that particular unit over a VPN tunnel.  Also, since FFE is now default for most interfaces, you'll need to use "show run verbose" output to verify the command.

Thanks!

David

0 Kudos
Accept as Solution Reply
Anonymous
Not applicable
‎10-06-2014 11:17 AM

Re: Slow VPN?

Jump to solution

Mitch,

I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

Thanks,

David


0 Kudos
Accept as Solution Reply