Max VPN Packet Size

sebit
sebit Posts: 6  Freshman Member
First Comment
edited April 2021 in Security
Hello

I have two usg 40 and 110.

With for one : 300MB sync fiber optic access and the other one 1Gb fiber optic access.

Both are running with V4.25(AAPH.1) firmware.

I have an IPSEC vpn between these 2 firewalls.

If I try to put a file by ftp from one site to the other one without using vpn network, I manage to copy at 25 Mbytes/sec.

If I try to put a file by the vpn network, I only have 4,5Mbytes/Sec

I think this is a firmware bug.

We really need firmware for this bug asap.

thanks

Comments

  • Johan
    Johan Posts: 26  Freshman Member
    First Comment Friend Collector
    I suspect you mean 300 Mbps not 300 MBps?

    Max throughput in perfect conditions is 100 Mbps for VPN measures based on RFC 2544 (1 424 byte UDP packages). Then the throughput will be affected by types of encryption.

    It is also affected by other UTM-services you may have enabled. Do you have any UTM-services enabled?
  • sebit
    sebit Posts: 6  Freshman Member
    First Comment
    none on each

    IPSEC 3DES SHA2

    yes for 300Mbps
  • Johan
    Johan Posts: 26  Freshman Member
    First Comment Friend Collector
    How big is the file you are trying to transfer and what type of file is it?

    What is the load on CPU/Memory and sessions when transferring a file? (Especially on the USG40).
  • sebit
    sebit Posts: 6  Freshman Member
    First Comment
    I tried with different size : 1gb 500mb 50mb
    40% load CPU

    If I try 10 500mb files at the same time, I'll get all the bandwidth used....
    but 1 file by 1 file only 4,5 Mb/ sec
  • Johan
    Johan Posts: 26  Freshman Member
    First Comment Friend Collector
    edited October 2017
    sebit said:
    I tried with different size : 1gb 500mb 50mb
    40% load CPU

    If I try 10 500mb files at the same time, I'll get all the bandwidth used....
    but 1 file by 1 file only 4,5 Mb/ sec
    Now that is interesting and useful for troubleshooting.
    Have you got segmentation enabled on the FTP-server? (So it segments the larger file into multiple smaller files). If not please try enabling it.

    Could you also try transfer of files with a different protocol than FTP?

    [Edit: What FTP client do you use? & What FTP server?]
  • sebit
    sebit Posts: 6  Freshman Member
    First Comment
    when i'm using transfert on vpn, it's a transfert directly server to server copy/past
  • Johan
    Johan Posts: 26  Freshman Member
    First Comment Friend Collector
    sebit said:
    when i'm using transfert on vpn, it's a transfert directly server to server copy/past
    Sorry I have not heard of transfert before. Could you please try answering all the questions in my last post.
  • sebit
    sebit Posts: 6  Freshman Member
    First Comment
    OK one 5Gb file from filezilla client ftp to a filezilla ftp server using wan not VPN network (from lan to WAN nat ftpserver) I manage to have all dedicated bandwith.

    one 5gb file transfert server to server by share folder, I only have 4,5mb.
  • Johan
    Johan Posts: 26  Freshman Member
    First Comment Friend Collector
    @sebit I will see if I can set up a lab tomorrow with two units using 4.25 firmware. Then set up a IPSec VPN and FTP server.

    No promises though, it all depends on how busy my day at work will be. But I'll try!

    Hopefully I will be able to replicate it meaning I can do some tests to find a solution.

    Temporary workaround would be to split the files into smaller chunks before transferring, or using a FTP client that supports segmenting (Warning, risk for corrupting the file & you need to re-download).
  • Johan
    Johan Posts: 26  Freshman Member
    First Comment Friend Collector
    I set up a lab yesterday with a ZyWALL 110 & USG40, both updated to 4.25(AAAA.1)C0 & 4.25(AALA.1)C0.

    I used iPerf: https://iperf.fr/ to get base measures of throughput (Default settings).
    On USG40:
    WAN to LAN / LAN to WAN: 200-250 Mbps (With Policy Control enabled). 300-350 Mbps with Policy Control disabled.

    Traffic over IPSec VPN I got around: 42-65 Mbps depending on encryption used, noticed small difference with enabling/disabling policy control.

    LAN to LAN on ZyWALL 110 I did get around 920-950 Mbps.

    I then tested setting up a FTP server on a Windows 7 machine with FileZilla server. (In the tests I tried swapping so it was behind USG40 for some tests and behind ZyWALL 110 for some). My other two client PCs both using FileZilla as FTP client were running Windows 10 & Debian Stable.

    It seems in my test FTP utilized the bandwidth I got from the base measures over VPN (base measure 42-65 Mbps) taking into account the overhead in FTP I find my result of around 38-58 Mbps FTP transfer to be acceptable.
    sebit said:
    [...]If I try to put a file by the vpn network, I only have 4,5Mbytes/Sec.[...]
    4,5 Megabyte per second equals to about 36 Megabit per second. So it is close to my lower results. Worth mentioning is that my tests were with Cat5e cable from WAN on USG40 to WAN on ZyWALL 110. Then all 3 clients were connected with Cat5e cables as well. I disabled any UTM-services including ADP.

    So I do not think your results are too bad, I would play around a little with encryption, for testing purposes try going even lower. Also when you check CPU usage make sure you let the file transfer for a few minutes first & check the CPU while the transfer is still ongoing. Remember my test was in lab environment with most  extra functions disabled & the higher results were with lowest possible set of encryption.

    If you would like me to I could make the same lab but between two higher end products such as the ZyWALL 110 & USG 210, or USG 60. To validate the limit is hardware performance of the USG40 & not limit in Firmware.

    If we would re-produce the lab using the packet-size mentioned in the datasheet for USG40 (RFC2544, 1,424-byte UDP packets) I am certain we would be getting closer to the specified speed.

Security Highlight