USG210 Firewall IPSec VPN Tunnel Site-To-Site Low performance
I've established IPSec VPN Site-To-Site Tunnel between two USG210 Devices.
Site to Site VPN, with AH-Tunnel SHA512 on both sides, with AES256 encryption on VPN Gateway for both sides. I'm able to ping hosts on both locations from both locations. The time of response is good, but sometimes request is timed out… :)
There's also SSL-VPN established for ActiveDirectory users with AD Authenticaton. This VPN works very fine and stable.
The problem is:
The performmance between site-to-site locations is very low and unstable. The ping is ok, but transfer speed and stability is very very bad.
Firmware version on both USG's: V4.70(AAPI.0)
I had already tried:
Disable sessions limiter - no effect
Disable security policies - no effect
Reboot devices - no effect
I'm out of ideas… :(
All Replies
-
Hello @Kacper
Welcome to Zyxel community!When the performance is low, what's the CPU rate? You can check it by debug system show cpu status
And could you test the transfer speed and provide the result? You can conduct a test with iperf.James
0 -
Admittedly, it has been quite a few years since I was in a similar situation and needed support to set up a stable VPN connection.
Even so, I would like to suggest that you may want to check if LAN traffic on any side of the VPN tunnel could create network traffic noise, affecting the VPN tunnel performance.
For performance testing purposes, you may want to set up a test scenario where only one computer on each end has access to the VPN while testing, to give you a controllable scenario to gather testing data.
0 -
Hello, the CPU rate on both sides is:
LOCATION 1:
Router# debug system show cpu status
CPU utilization: 5 % (system: 1 %, user: 3 %, irq: 0 %, softirq 1 %)
CPU utilization (1 minute): 2 % (system: 0 %, user: 1 %, irq: 0 %, softirq 1 %)
CPU utilization (5 minute): 0 % (system: 0 %, user: 0 %, irq: 0 %, softirq 0 %)LOCATION 2:
Router# debug system show cpu status
CPU utilization: 10 % (system: 4 %, user: 0 %, irq: 0 %, softirq 6 %)
CPU utilization (1 minute): 4 % (system: 3 %, user: 0 %, irq: 0 %, softirq 1 %)
CPU utilization (5 minute): 3 % (system: 2 %, user: 0 %, irq: 0 %, softirq 1 %)
The performance of WAN connection shows 98/96Mbit/s (100/100Mbit Internet connection), similar on both sides.There aren't any problems with network performance, on both sides everything works fine and fast and stable!
When users from location 2 connects with SSL-VPN to location 1 (even if they are in IPSEC network) the performance becomes great!1 -
If you setup a HTTP server one end with a test file and the other end with Free Download Manager what speed you get?
If using SMB try "DisableBandwidthThrottling" set to 1 both ends
0 -
Hello @Kacper
Did you check the CPU rate when transferring files or iperf3 test through the VPN tunnel? As @PeterUK, please provide a result to describe the slow performance, thanks.James
0 -
Hello,
So, when downloading something from Internet on both sides performance is great:
I checked transfer performance for SMB (with CPU usage for both sides:
And for HTTP (trought IPSec VPN):
HTTP Download locally not trought VPN (to make sure that there aren't any HTTP limits):
0 -
Does a lower encryption help? or use ESP?
0 -
Hello @Kacper
There are several things we can try to narrow down the cause.
- Lower the encryption and the authentication. example: replace AES256 with 3DES
- Capture the packet on WAN/LAN interface to check if there has serious packet loss during the transmission. If so, you will see many Dup ACK/retransmission/out-of-order in Wireshark.
- UTM function could also affect the speed. Please check the speed when they're disabled.
- Change the MTU value on WAN interface or change the MSS value in the VPN connection profile. example: MTU 1370 or MSS 1300
Moreover, since your result is tested by a single session, the throughput will not be as high as multi-session. Please run an iperf test with multisession.
If the speed didn't improve, please provide your USG210 configuration through private message, I will test the speed for you, thanks.
0
Categories
- All Categories
- 415 Beta Program
- 2.4K Nebula
- 148 Nebula Ideas
- 96 Nebula Status and Incidents
- 5.7K Security
- 262 USG FLEX H Series
- 271 Security Ideas
- 1.4K Switch
- 74 Switch Ideas
- 1.1K Wireless
- 40 Wireless Ideas
- 6.4K Consumer Product
- 249 Service & License
- 387 News and Release
- 84 Security Advisories
- 29 Education Center
- 10 [Campaign] Zyxel Network Detective
- 3.5K FAQ
- 34 Documents
- 34 Nebula Monthly Express
- 85 About Community
- 73 Security Highlight