IPSect Site to Site (Slow Upload) - (Fast Download) issue
-
@amd_infinium05 said in IPSect Site to Site (Slow Upload) - (Fast Download) issue:
It is not just SMB, even Https/Http browsing from SiteB to Site seems slow.
I have also tested with iPerf 3.1.3Site B to Site A - speed maxes out at 2-3Mbits/sec
Site A to Sibe B - speed maxes out the links which is 75-95Mbits/secCommands used:
server: iperf.exe --server
client: iperf.exe --c <serverIP> -t 60That conflicts with what you said here:
Site A to Site B remote desktop protocol to a computer in Site B file transfer via RDP is 70-90mbits/sec
If it is just sending to the Q-NAP that is problematic then that points to something in the Q-NAP.
Perhaps a limiter on transfers in from non-local subnets?
There really isn't anything in the firewall that would cause this unless a limiter/shaper was deliberately placed.
I assume both sites can run traditional speed tests to internet test sites at or near 100/100.
-
@derelict I am having the same issue with iperf when Im initiating the connection from site B to any windows server on site A through the tunnel.
Im pretty sure QNAP has no problem as the workstations/servers on site A (same subnet as with qnap) can send data to qnap reaching 1gbps.
-
@amd_infinium05 Right. Often connections from other subnets are trated differently.
I really cannot think of anything in the firewall that would cause what you are seeing unless you deliberately set a limiter. There is no checkbox to enable the issue you are seeing.
Packet capture an iperf session and see if there are retransmissions or something.
Set MSS Clamping in the advanced IPsec settings down to, say, 1300 and try again.
Try UDP iperf.
-
@derelict thank you.
I will try udp on iperf when I get my hands on it.
I have observed that any traffic that is initiated from site a to site b gets full speed up and down through the tunnel regardless of what type of task I throw at it (rdp/samba/iperf).
Connections initiated from site B (iperf and file transfer via cifs/smb to qnap it is slow). This is really weird from my point of view.
Also I have observed that if the connection is initiated from site B, it is actually hitting the ipsec firewall rule on site A. If the connection is initiated from site A it is hitting the ipsec firewall rule in Site B. --- this is normal yes?
-
Yes. The firewall rules on IPsec are the same as any other interface. They govern connections coming INTO that firewall on that interface.
-
So here are my iperf tests
Site B to Site A (left window is Site B, right window is Site A)
Site B to Site A
-
Still doesn't point at anything on the firewalls themselves.
(You have to specify a -b bandwidth flag when using UDP or it tries to send 1Mbit/sec as you saw)
-
How do you know its not the ISP? I swear I've seen Comcast Residential throttle all kinds of things.
-
@bbrendon I dont know sir. I do not know where else to look at.
-
Here are my speedtest using UDP from SiteB to SiteA
They are showing two different information.
Left: Site B (client)
Right: Site A (Server) -
RESOLVED!!
I have set both ends to MSS Clamping 1300 and that solved the issue.
I can now upload data to Qnap at full speed 80-90Mbps.Wrap up thoughts?
-
Wouldn't it be better to fix what's preventing MTU discovery to work properly (your ICMP filtering perhaps)?
I've never needed MSS Clamping.
-
@p3r ICMP filtering?
-
As far as I know MSS Clamping is a workaround to avoid MTU discovery problems. I assumed that you have some filtering in the source-destination path (ICMP was my first thought) that prevent MTU discovery.
Since throughtput was assymetric, I expected it to be fairly easy to find what was different and causing the issue at one end.