Slow site to site VPN Performance

Question

Folks,

Recently my company decided to save money by transitioning away from MPLS and metro ethernet based connectivity to Internet based site to site VPN's. For our stores we are installing Time Warner and Comcast business class Internet. Generally either 100/10 or 100/20 with one location being on a Comcast fiber based Internet circuit that is 30/30.

So far our experience has not been all that great. Our data center currently has a 100/100 fiber based Internet connection (1g to be installed next week). Our 100mb is not oversubscribed at this point. Whenever I try to do a windows based drag and drop from the data center to the store on average I get from 1.5-2.5MB on the copy. so basically 12-20 megabit despite the fact that my store has a 100mb download pipe. If I try to use FTP over the VPN I get the same speed. However if I take the same server at the DC and do a 1 to 1 NAT and then FTP to it from the same store over the Internet and not through the VPN I see close to the 100mb speed that we are subscribed to. Interstingly whenever I copy from the store to the DC I almost always get the full 20mb upload speed. Finally at our 30/30 store I get all 30mb both directions.

My data center has a 500D and all of my stores have a 140D. So I would think there is enough horsepower to be able to handle the occasionally large file copy. We don't generally move a lot of data over our VPN's. Mainly web based applications with some videos. However when we need it, it would be nice to have a nice file copy speed. I understand there is some overhead on VPN's but not to this degree. I have already tried various MTU sizes on WAN interfaces at both the DC and my lab store.

At this point I am stumped. Why is my VPN running so slowly? Is it possible that TW and/or comcast throttles UDP 500/4500 or the ESP protocol? At this point I along with our CIO is ready to abort this project and go with Fiber in all 90 locations. But I am not quite ready to give up.

Any help would be appreciated.

Mark

ede_pfau · Answer

hi,and welcome to the forums. This situation is strange. The 100D feature a CP8 content processor but lack a network processor ASIC (NP6). Nevertheless, even CPU based they should sustain 100 Mbps IPsec. Please supply the following info to clarify:- which firmware versions are you running (HQ/branch)?- which IPsec encryption is used in phase1, phase2?- do the 140Ds spike in CPU load on large file transfers?- what do you get with diag vpn ipsec status, HQ and branch? What I am aiming at is that certain encryption ciphers are not hardware accelerated, due to lack of NP6 or due to implementation after the ASIC was designed. On the safe side, AES128 and SHA1 are both done in hardware and more performant than, say, 3DES and AES256. One more (faint) possibility would be frequent renegotiations due to parameter mismatch - but you would have noticed that in the logs instantly.Lastly, have you checked with the ISP technical support that your HQ upstream is not throttled for specific protocols? They should be able to tell you with certainty.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded