Firewall Wizards mailing list archives
CISCO Hardware VPN Client Impact on Throughput
From: Wade Burgett <wadeb () burgettsys com>
Date: Wed, 27 Aug 2003 22:36:56 -0700
Hi, I'm trying to track down the cause of some performance problems wwith a CISCO VPN. The client side is using the CISCO VPN 3002 Hardware Client, and the Server end is a CISCO VPN Concentrator (no model number yet - I'm consultant just for the client end).
I'm seeing a pretty big hit on the throughput of the VPN. Wondering if this is normal for a CISCO VPN or this hardware. It seems very large - I get much better results from the high-overhead ssh-ppp vpns on Linux/Solaris I setup for myself.
----------------------------------------------- The Questions --------------------------------------------------1) Wondering if the performance hit I'm seeing is normal for this configuration (ie - tell the client to cry in their beer and live with it). About 13Kbps of a 43 Kbps connection is lost through the VPN.
2) If performance hit is not normal - what should I try - I'm planning a series of MTU experiments, lowering it, turning off PMTU and changing the way packets are fragmented (before, after IPSEC). I know this system was setup by high paid consultants (which is me too I guess) and I've found quite a bit of traffic talking about consultants blocking the PMTU ICMP ports. However, if there is some other explanation I'd be happy to hear about anything that I might try, or secret red buttons that I have not pushed.
------------------------------- The Background Data --------------------------------------------I'm seeing about a 13KB/s hit on 43KB/s connection. That just can't be right somehow I'm thinking. Client applications (Lotus Notes mostly) are taking even bigger hits (2.5-3x longer to get an email attachment through Lotus than to get via the web not through VPN).
My current guess as to cause is MTU and maybe interaction between MTU Size Start Stop Time Throughput KB/s No VPN 958k 19:24:41 19:25:03 00:00:22 43.72 No VPN 958k 19:25:03 19:25:26 00:00:22 42.23 No VPN 958k 19:25:26 19:25:48 00:00:23 43.84 No VPN 958k 19:25:48 19:26:11 00:00:22 43.54 No VPN 958k 19:26:11 19:26:33 00:00:23 43.68 No VPN 958k 19:26:33 19:26:56 00:00:22 43.64 avg throughput 43.44 Lxxxxx VPN 958k 20:13:17 20:13:52 00:00:35 27.86 Lxxxxx VPN 958k 20:13:52 20:14:23 00:00:35 31.12 Lxxxxx VPN 958k 20:14:23 20:14:55 00:00:31 30.73 Lxxxxx VPN 958k 20:14:55 20:15:25 00:00:32 32.66 Lxxxxx VPN 958k 20:15:25 20:15:55 00:00:30 32.28 Lxxxxx VPN 958k 20:15:55 20:16:29 00:00:30 29.13 avg throughput 30.63 Thanks. Wade -- Wade Burgett wadeb () burgettsys com (512)-796-7070 (503)-756-5633 Burgett Systems http://www.burgettsys.com ELIMINATE EMAIL VIRUSES - Use Linux _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- CISCO Hardware VPN Client Impact on Throughput Wade Burgett (Aug 28)