Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    More IPSEC woes…. Horrible performance

    Scheduled Pinned Locked Moved IPsec
    6 Posts 3 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kapara
      last edited by

      I have spent 3 days now trying to understand what might be causing the problems on the VPN we have.

      Connection is point to point.

      Site A Supermicro Xeon server with virtual pfsense. 3.2.1_5
      Site B is a APU running 2.2.6

      iperf is able to push the VPN to the max of site B which is 10mbit

      Windows files transfer or robocopy fluctuates around 1.5 mbit

      When I changed from AES 128 to 3DES I was able to push the throughput of windows transfer up to 3-4 mbit

      My real issue is that a thin client application that uses SQL in the background is having the most issues.  When performing a query from site B (Client) to Site A (Server) the process can take upwards of 60 seconds to complete the query in the app.  Using a computer local to the server (Site A) the query is pretty much instantaneous.  Also when performing the query from Site B we do not record any kind of significant traffic during the query.

      Any suggestions would be helpful!

      Skype ID:  Marinhd

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        Enable MSS clamping if you haven't already. Outside of that, you're getting the line capacity with iperf, so the VPN itself isn't to blame. Windows file transfers perform horribly with high latency. Guessing the bulk of it's attributable to that, with anything to do with SMB at least. The SQL part might be fixed by MSS clamping, but hard to say from that what it might be.

        1 Reply Last reply Reply Quote 0
        • K
          kapara
          last edited by

          Are there any recommended values or is it ok to try anything?  Site A is in a datacenter (OVH) with ethernet handoff of 1GB inbound and 500mbit outbound.  Are there any questions I could as the datacenter that might help determine the value I might want to enter?

          Site B is 10mbit fiber from ATT

          Latency is 70-80ms

          Skype ID:  Marinhd

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            1400 should be fine.

            1 Reply Last reply Reply Quote 0
            • L
              laped
              last edited by

              We needed up with using 1280 MTU for IPsec but we have many mobile clients using modem.

              Some good reading about the subject can be found here:

              https://www.zeitgeist.se/2013/11/26/mtu-woes-in-ipsec-tunnels-how-to-fix/

              1 Reply Last reply Reply Quote 0
              • K
                kapara
                last edited by

                I am going to try changing the MTU to 1400 tonight.

                What is interesting is when I switched to 3des/sha1 from AES on the APU I was able to pass 3-4 mbit on windows file transfers compared to maximum 1.5 on AES 128/Sha1

                Skype ID:  Marinhd

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.