IPSect Site to Site (Slow Upload) - (Fast Download) issue

Derelict

@amd_infinium05 Right. Often connections from other subnets are trated differently.

I really cannot think of anything in the firewall that would cause what you are seeing unless you deliberately set a limiter. There is no checkbox to enable the issue you are seeing.

Packet capture an iperf session and see if there are retransmissions or something.

Set MSS Clamping in the advanced IPsec settings down to, say, 1300 and try again.

Try UDP iperf.

AMD_infinium05

@derelict thank you.

I will try udp on iperf when I get my hands on it.

I have observed that any traffic that is initiated from site a to site b gets full speed up and down through the tunnel regardless of what type of task I throw at it (rdp/samba/iperf).

Connections initiated from site B (iperf and file transfer via cifs/smb to qnap it is slow). This is really weird from my point of view.

Also I have observed that if the connection is initiated from site B, it is actually hitting the ipsec firewall rule on site A. If the connection is initiated from site A it is hitting the ipsec firewall rule in Site B. --- this is normal yes?

Derelict

Yes. The firewall rules on IPsec are the same as any other interface. They govern connections coming INTO that firewall on that interface.

AMD_infinium05

So here are my iperf tests

Site B to Site A (left window is Site B, right window is Site A)
0_1550448666703_80e4182a-55ac-4e7b-801c-81705b73e3b3-image.png

Site B to Site A
0_1550448833656_d52cd3b2-0467-4044-8b47-b70f0a5b0779-image.png

Derelict

Still doesn't point at anything on the firewalls themselves.

(You have to specify a -b bandwidth flag when using UDP or it tries to send 1Mbit/sec as you saw)

bbrendon

How do you know its not the ISP? I swear I've seen Comcast Residential throttle all kinds of things.

AMD_infinium05

@bbrendon I dont know sir. I do not know where else to look at.

AMD_infinium05

Here are my speedtest using UDP from SiteB to SiteA

They are showing two different information.

Left: Site B (client)
Right: Site A (Server)

0_1550841573559_edb439b1-4f9a-4980-9afb-ba9cb0cc0859-image.png

AMD_infinium05

RESOLVED!!
I have set both ends to MSS Clamping 1300 and that solved the issue.
I can now upload data to Qnap at full speed 80-90Mbps.

Wrap up thoughts?

P3R

Wouldn't it be better to fix what's preventing MTU discovery to work properly (your ICMP filtering perhaps)?

I've never needed MSS Clamping.

AMD_infinium05

@p3r ICMP filtering?

P3R

As far as I know MSS Clamping is a workaround to avoid MTU discovery problems. I assumed that you have some filtering in the source-destination path (ICMP was my first thought) that prevent MTU discovery.

Since throughtput was assymetric, I expected it to be fairly easy to find what was different and causing the issue at one end.