5 Replies Latest reply on Oct 6, 2014 9:17 AM by david

    Slow VPN?

    mitch42 New Member

      I have a hub and spoke network setup.  The corporate location has a NetVanta 6355 with three 3120s connecting to it VPN.  I want to know what data rates should I see to the 3120s.

      All of the 3120 and 6355 are running R10.11.0.E.  The 3120s are connected to 35/5 cable modem and the 6355 is 20/20 fiber.  At best I'm getting 300KBps when I copy a file.  This was at night when everyone else was gone and after I tweaked the TCP/IP settings on both locations to maximize MTU etc..

        • Re: Slow VPN?
          jayh Hall_of_Fame

          In some cases you need to reduce MTU due to the crypto overhead, not maximize it.  Especially if your cable modem is PPPoE which often comes with a 4-byte penalty.

           

          Are you sure you are seeing 300 kbps (bits per second) and not 300 kBps (Bytes per second)?  Possibly things are being fragmented, check with Wireshark.

           

          ip crypto ffe command may also help if router CPU is high.

            • Re: Slow VPN?
              mitch42 New Member

              By 'maximize' I meant setting the MTU to the largest it can be without fragmentation.  That is 1464 bytes over the VPN.  The data rate is kilo-Bytes, I didn't get the B right on the first post..but the 3120 should do 1Mbit over VPN and I'm not getting half that at ~300KBps, I'm not sure what the 6355 will do over VPN.  I'm doing this testing after hours so there is minimal traffic on the connections.

               

              I have looked into ffe option and found this:

                   As of R10.4.0, FFE is enabled on all supported IP interfaces by default.  (https://supportforums.adtran.com/docs/DOC-5062)

               

              When I try to set 'ip crypto ffe' on the 6355 I get: %IPSec FFE is unavailable; VPN hardware acceleration module not installed.

              On the 3120s I don't get any response and the 'ip crypto ffe' or 'ip ffe' doesn't show in 'show run'

              I'm getting about 40% CPU on the 5 min ave load during our normal use (IP phone system uses the VPN along with folder redirection)

                • Re: Slow VPN?
                  jayh Hall_of_Fame

                  mitch42 wrote:

                   

                  By 'maximize' I meant setting the MTU to the largest it can be without fragmentation.  That is 1464 bytes over the VPN.  The data rate is kilo-Bytes, I didn't get the B right on the first post..but the 3120 should do 1Mbit over VPN and I'm not getting half that at ~300KBps, I'm not sure what the 6355 will do over VPN.  I'm doing this testing after hours so there is minimal traffic on the connections.

                   

                  One byte is eight bits. If you are getting throughput of 300 kilobytes per second, that is equal to 2.4 megabits per second which is pretty respectable.  If you are uploading from the cable connection, their rated speed of 5 mbps may be a bit optimistic. If your phone system uses the VPN for RTP traffic, there is considerable CPU overhead in encrypting and decrypting many small packets.

                   

                  One thing you can do is to look at the interface stats during a five-minute file transfer and look at the actual bits-per-second in and out.

                  • Re: Slow VPN?
                    david Employee

                    Mitch,

                     

                    I just wanted to check back in with you to see if you are still having problems.  If so, feel free to respond with any additional questions you may have here, but this may be something too difficult to troubleshoot within a forum post.  If you are getting 2.4Mbps as Jay mentioned, I would say that is very good throughput for that particular unit over a VPN tunnel.  Also, since FFE is now default for most interfaces, you'll need to use "show run verbose" output to verify the command.

                     

                    Thanks!

                    David

                • Re: Slow VPN?
                  david Employee

                  Mitch,

                   

                  I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

                   

                  Thanks,

                  David