Palo Alto to Cisco: Site to Site IPSec VPN bandwidth issue
Palo Site: Palo Alto PA-220
Cisco Side: Cisco FTD Appliance
Both sites have 200/200 fiber and Speedtest results are as expected. End User just can't get any decent bandwidth through the tunnel. Latency is between 33-40ms.
First the end user tried adjusting the tunnel MTU on PA-220 to 1410, which accounts for the 28 that comes from icmp. But that reduced performance further!
Question from the end user: Could it actually be related to MTU? Also why is it noticeably faster when running Iperf3 from Cisco side of tunnel to PA side?
The pa-220 can do at least 200 mbps. The Cisco FTD states it can do 1.2 Gbps of throughput!
This definitely sounds like a TCP windowing problem. Fragmentation should not be an issue here. You'll need to adjust your TCP window to a much larger size to get better throughput with that high of a latency on the link!
Palo Alto auto calculates and auto adjusts the MSS. Other vendors appliances doesn't do this. I mean If you went through everything to build phase 1 and 2 then figuring out the overhead should be pretty easy compared to that!
领英推荐
Issue often related to Long Fat Networks. The problem is quite possibly the distance and latency vs the TCP window size.
There is a TCP window, which tells the device how much data it can send before stopping to wait and hear from the far end that it has received it, and to send more. In the event of a high bandwidth network with latency (distance) between sites, it can fill the TCP window in just a few milliseconds, and then it will stop and wait for the response.
The first test of this, is to run multiple TCP connections simultaneously. For example, if you can ftp a file at 10 megabits, try running 10 ftp sessions at the same time. Do they all get 10 megabits? (10x10 = 100) If so, then it's a TCP windowing issue.
There are lots of ways around the LFN issue. You can adjust the TCP window, buy software that will essentially run multiple simultaneous connections at the same time and combine the data into one stream (aka a "download accelerator" software). There's also appliances like WAN accelerators, RiverBed, SilverPeak, etc, which will manage it for you if you configure it.
Many times customers blame their firewalls doing IPSEC for slow vpn throughput and the issue is related to TCP not hardware!