USG210 Firewall IPSec VPN Tunnel Site-To-Site Low performance

Kacper
Kacper Posts: 3
Friend Collector First Comment

I've established IPSec VPN Site-To-Site Tunnel between two USG210 Devices.

Site to Site VPN, with AH-Tunnel SHA512 on both sides, with AES256 encryption on VPN Gateway for both sides. I'm able to ping hosts on both locations from both locations. The time of response is good, but sometimes request is timed out… :)

There's also SSL-VPN established for ActiveDirectory users with AD Authenticaton. This VPN works very fine and stable.

The problem is:
The performmance between site-to-site locations is very low and unstable. The ping is ok, but transfer speed and stability is very very bad.

Firmware version on both USG's: V4.70(AAPI.0)

I had already tried:
Disable sessions limiter - no effect
Disable security policies - no effect
Reboot devices - no effect

I'm out of ideas… :(

All Replies

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hello @Kacper
    Welcome to Zyxel community!

    When the performance is low, what's the CPU rate? You can check it by debug system show cpu status
    And could you test the transfer speed and provide the result? You can conduct a test with iperf.

    James

  • TrondBKSuleimanCo
    TrondBKSuleimanCo Posts: 19  Freshman Member
    First Anniversary 10 Comments Friend Collector First Answer

    Admittedly, it has been quite a few years since I was in a similar situation and needed support to set up a stable VPN connection.

    Even so, I would like to suggest that you may want to check if LAN traffic on any side of the VPN tunnel could create network traffic noise, affecting the VPN tunnel performance.

    For performance testing purposes, you may want to set up a test scenario where only one computer on each end has access to the VPN while testing, to give you a controllable scenario to gather testing data.

  • Kacper
    Kacper Posts: 3
    Friend Collector First Comment

    Hello, the CPU rate on both sides is:
    LOCATION 1:
    Router# debug system show cpu status
    CPU utilization: 5 % (system: 1 %, user: 3 %, irq: 0 %, softirq 1 %)
    CPU utilization (1 minute): 2 % (system: 0 %, user: 1 %, irq: 0 %, softirq 1 %)
    CPU utilization (5 minute): 0 % (system: 0 %, user: 0 %, irq: 0 %, softirq 0 %)

    LOCATION 2:
    Router# debug system show cpu status
    CPU utilization: 10 % (system: 4 %, user: 0 %, irq: 0 %, softirq 6 %)
    CPU utilization (1 minute): 4 % (system: 3 %, user: 0 %, irq: 0 %, softirq 1 %)
    CPU utilization (5 minute): 3 % (system: 2 %, user: 0 %, irq: 0 %, softirq 1 %)

    The performance of WAN connection shows 98/96Mbit/s (100/100Mbit Internet connection), similar on both sides.

    There aren't any problems with network performance, on both sides everything works fine and fast and stable!
    When users from location 2 connects with SSL-VPN to location 1 (even if they are in IPSEC network) the performance becomes great!

  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited March 2023

    If you setup a HTTP server one end with a test file and the other end with Free Download Manager what speed you get?

    If using SMB try "DisableBandwidthThrottling" set to 1 both ends

    https://learn.microsoft.com/en-us/windows-server/administration/performance-tuning/role/file-server/

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer

    Hello @Kacper
    Did you check the CPU rate when transferring files or iperf3 test through the VPN tunnel? As @PeterUK, please provide a result to describe the slow performance, thanks.

    James

  • Kacper
    Kacper Posts: 3
    Friend Collector First Comment

    Hello,

    So, when downloading something from Internet on both sides performance is great:

    I checked transfer performance for SMB (with CPU usage for both sides:

    And for HTTP (trought IPSec VPN):

    HTTP Download locally not trought VPN (to make sure that there aren't any HTTP limits):

  • PeterUK
    PeterUK Posts: 2,702  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2023

    Does a lower encryption help? or use ESP?

  • Zyxel_James
    Zyxel_James Posts: 610  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    edited April 2023

    Hello @Kacper

    There are several things we can try to narrow down the cause.

    1. Lower the encryption and the authentication. example: replace AES256 with 3DES
    2. Capture the packet on WAN/LAN interface to check if there has serious packet loss during the transmission. If so, you will see many Dup ACK/retransmission/out-of-order in Wireshark.
    3. UTM function could also affect the speed. Please check the speed when they're disabled.
    4. Change the MTU value on WAN interface or change the MSS value in the VPN connection profile. example: MTU 1370 or MSS 1300

    Moreover, since your result is tested by a single session, the throughput will not be as high as multi-session. Please run an iperf test with multisession.

    If the speed didn't improve, please provide your USG210 configuration through private message, I will test the speed for you, thanks.

Security Highlight