Max VPN Packet Size
Freshman Member
Hello
I have two usg 40 and 110.
With for one : 300MB sync fiber optic access and the other one 1Gb fiber optic access.
Both are running with V4.25(AAPH.1) firmware.
I have an IPSEC vpn between these 2 firewalls.
If I try to put a file by ftp from one site to the other one without using vpn network, I manage to copy at 25 Mbytes/sec.
If I try to put a file by the vpn network, I only have 4,5Mbytes/Sec
I think this is a firmware bug.
We really need firmware for this bug asap.
thanks
I have two usg 40 and 110.
With for one : 300MB sync fiber optic access and the other one 1Gb fiber optic access.
Both are running with V4.25(AAPH.1) firmware.
I have an IPSEC vpn between these 2 firewalls.
If I try to put a file by ftp from one site to the other one without using vpn network, I manage to copy at 25 Mbytes/sec.
If I try to put a file by the vpn network, I only have 4,5Mbytes/Sec
I think this is a firmware bug.
We really need firmware for this bug asap.
thanks
0
Comments
-
I suspect you mean 300 Mbps not 300 MBps?
Max throughput in perfect conditions is 100 Mbps for VPN measures based on RFC 2544 (1 424 byte UDP packages). Then the throughput will be affected by types of encryption.
It is also affected by other UTM-services you may have enabled. Do you have any UTM-services enabled?
0 -
none on each
IPSEC 3DES SHA2
yes for 300Mbps0 -
How big is the file you are trying to transfer and what type of file is it?
What is the load on CPU/Memory and sessions when transferring a file? (Especially on the USG40).
0 -
I tried with different size : 1gb 500mb 50mb
40% load CPU
If I try 10 500mb files at the same time, I'll get all the bandwidth used....
but 1 file by 1 file only 4,5 Mb/ sec0 -
Now that is interesting and useful for troubleshooting.sebit said:I tried with different size : 1gb 500mb 50mb
40% load CPU
If I try 10 500mb files at the same time, I'll get all the bandwidth used....
but 1 file by 1 file only 4,5 Mb/ sec
Have you got segmentation enabled on the FTP-server? (So it segments the larger file into multiple smaller files). If not please try enabling it.
Could you also try transfer of files with a different protocol than FTP?
[Edit: What FTP client do you use? & What FTP server?]
0 -
when i'm using transfert on vpn, it's a transfert directly server to server copy/past0
-
OK one 5Gb file from filezilla client ftp to a filezilla ftp server using wan not VPN network (from lan to WAN nat ftpserver) I manage to have all dedicated bandwith.
one 5gb file transfert server to server by share folder, I only have 4,5mb.0 -
@sebit I will see if I can set up a lab tomorrow with two units using 4.25 firmware. Then set up a IPSec VPN and FTP server.
No promises though, it all depends on how busy my day at work will be. But I'll try!
Hopefully I will be able to replicate it meaning I can do some tests to find a solution.
Temporary workaround would be to split the files into smaller chunks before transferring, or using a FTP client that supports segmenting (Warning, risk for corrupting the file & you need to re-download).
0 -
I set up a lab yesterday with a ZyWALL 110 & USG40, both updated to 4.25(AAAA.1)C0 & 4.25(AALA.1)C0.
I used iPerf: https://iperf.fr/ to get base measures of throughput (Default settings).
On USG40:
WAN to LAN / LAN to WAN: 200-250 Mbps (With Policy Control enabled). 300-350 Mbps with Policy Control disabled.
Traffic over IPSec VPN I got around: 42-65 Mbps depending on encryption used, noticed small difference with enabling/disabling policy control.
LAN to LAN on ZyWALL 110 I did get around 920-950 Mbps.
I then tested setting up a FTP server on a Windows 7 machine with FileZilla server. (In the tests I tried swapping so it was behind USG40 for some tests and behind ZyWALL 110 for some). My other two client PCs both using FileZilla as FTP client were running Windows 10 & Debian Stable.
It seems in my test FTP utilized the bandwidth I got from the base measures over VPN (base measure 42-65 Mbps) taking into account the overhead in FTP I find my result of around 38-58 Mbps FTP transfer to be acceptable.
4,5 Megabyte per second equals to about 36 Megabit per second. So it is close to my lower results. Worth mentioning is that my tests were with Cat5e cable from WAN on USG40 to WAN on ZyWALL 110. Then all 3 clients were connected with Cat5e cables as well. I disabled any UTM-services including ADP.sebit said:[...]If I try to put a file by the vpn network, I only have 4,5Mbytes/Sec.[...]
So I do not think your results are too bad, I would play around a little with encryption, for testing purposes try going even lower. Also when you check CPU usage make sure you let the file transfer for a few minutes first & check the CPU while the transfer is still ongoing. Remember my test was in lab environment with most extra functions disabled & the higher results were with lowest possible set of encryption.
If you would like me to I could make the same lab but between two higher end products such as the ZyWALL 110 & USG 210, or USG 60. To validate the limit is hardware performance of the USG40 & not limit in Firmware.
If we would re-produce the lab using the packet-size mentioned in the datasheet for USG40 (RFC2544, 1,424-byte UDP packets) I am certain we would be getting closer to the specified speed.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 144 Nebula Ideas
- 94 Nebula Status and Incidents
- 5.6K Security
- 237 USG FLEX H Series
- 267 Security Ideas
- 1.4K Switch
- 71 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.3K Consumer Product
- 247 Service & License
- 384 News and Release
- 83 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.2K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 83 About Community
- 71 Security Highlight
