Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    IPSect Site to Site (Slow Upload) - (Fast Download) issue

    Scheduled Pinned Locked Moved IPsec
    24 Posts 5 Posters 2.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      AMD_infinium05 @Derelict
      last edited by

      @derelict thank you.

      I will try udp on iperf when I get my hands on it.

      I have observed that any traffic that is initiated from site a to site b gets full speed up and down through the tunnel regardless of what type of task I throw at it (rdp/samba/iperf).

      Connections initiated from site B (iperf and file transfer via cifs/smb to qnap it is slow). This is really weird from my point of view.

      Also I have observed that if the connection is initiated from site B, it is actually hitting the ipsec firewall rule on site A. If the connection is initiated from site A it is hitting the ipsec firewall rule in Site B. --- this is normal yes?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        Yes. The firewall rules on IPsec are the same as any other interface. They govern connections coming INTO that firewall on that interface.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • A
          AMD_infinium05
          last edited by

          So here are my iperf tests

          Site B to Site A (left window is Site B, right window is Site A)
          0_1550448666703_80e4182a-55ac-4e7b-801c-81705b73e3b3-image.png

          Site B to Site A
          0_1550448833656_d52cd3b2-0467-4044-8b47-b70f0a5b0779-image.png

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            Still doesn't point at anything on the firewalls themselves.

            (You have to specify a -b bandwidth flag when using UDP or it tries to send 1Mbit/sec as you saw)

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            B 1 Reply Last reply Reply Quote 0
            • B
              bbrendon @Derelict
              last edited by

              How do you know its not the ISP? I swear I've seen Comcast Residential throttle all kinds of things.

              A 1 Reply Last reply Reply Quote 0
              • A
                AMD_infinium05 @bbrendon
                last edited by

                @bbrendon I dont know sir. I do not know where else to look at.

                1 Reply Last reply Reply Quote 0
                • A
                  AMD_infinium05
                  last edited by

                  Here are my speedtest using UDP from SiteB to SiteA

                  They are showing two different information.

                  Left: Site B (client)
                  Right: Site A (Server)

                  0_1550841573559_edb439b1-4f9a-4980-9afb-ba9cb0cc0859-image.png

                  1 Reply Last reply Reply Quote 0
                  • A
                    AMD_infinium05
                    last edited by

                    RESOLVED!!
                    I have set both ends to MSS Clamping 1300 and that solved the issue.
                    I can now upload data to Qnap at full speed 80-90Mbps.

                    Wrap up thoughts?

                    1 Reply Last reply Reply Quote 0
                    • P
                      P3R
                      last edited by

                      Wouldn't it be better to fix what's preventing MTU discovery to work properly (your ICMP filtering perhaps)?

                      I've never needed MSS Clamping.

                      A 1 Reply Last reply Reply Quote 0
                      • A
                        AMD_infinium05 @P3R
                        last edited by

                        @p3r ICMP filtering?

                        1 Reply Last reply Reply Quote 0
                        • P
                          P3R
                          last edited by

                          As far as I know MSS Clamping is a workaround to avoid MTU discovery problems. I assumed that you have some filtering in the source-destination path (ICMP was my first thought) that prevent MTU discovery.

                          Since throughtput was assymetric, I expected it to be fairly easy to find what was different and causing the issue at one end.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.