IPSect Site to Site (Slow Upload) - (Fast Download) issue
-
@derelict thank you.
I will try udp on iperf when I get my hands on it.
I have observed that any traffic that is initiated from site a to site b gets full speed up and down through the tunnel regardless of what type of task I throw at it (rdp/samba/iperf).
Connections initiated from site B (iperf and file transfer via cifs/smb to qnap it is slow). This is really weird from my point of view.
Also I have observed that if the connection is initiated from site B, it is actually hitting the ipsec firewall rule on site A. If the connection is initiated from site A it is hitting the ipsec firewall rule in Site B. --- this is normal yes?
-
Yes. The firewall rules on IPsec are the same as any other interface. They govern connections coming INTO that firewall on that interface.
-
So here are my iperf tests
Site B to Site A (left window is Site B, right window is Site A)
Site B to Site A
-
Still doesn't point at anything on the firewalls themselves.
(You have to specify a -b bandwidth flag when using UDP or it tries to send 1Mbit/sec as you saw)
-
How do you know its not the ISP? I swear I've seen Comcast Residential throttle all kinds of things.
-
@bbrendon I dont know sir. I do not know where else to look at.
-
Here are my speedtest using UDP from SiteB to SiteA
They are showing two different information.
Left: Site B (client)
Right: Site A (Server) -
RESOLVED!!
I have set both ends to MSS Clamping 1300 and that solved the issue.
I can now upload data to Qnap at full speed 80-90Mbps.Wrap up thoughts?
-
Wouldn't it be better to fix what's preventing MTU discovery to work properly (your ICMP filtering perhaps)?
I've never needed MSS Clamping.
-
@p3r ICMP filtering?
-
As far as I know MSS Clamping is a workaround to avoid MTU discovery problems. I assumed that you have some filtering in the source-destination path (ICMP was my first thought) that prevent MTU discovery.
Since throughtput was assymetric, I expected it to be fairly easy to find what was different and causing the issue at one end.