Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    VPN Horrendously Slow

    IPsec
    3
    9
    8506
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      topanaris last edited by

      Hi, I managed to setup a VPN between my Cisco ASA and PFsense everything works as intended and traffic is traversing the VPN - its just very slow, i mean i am using RDP and its like a slide show. The specs on the PFsense box is 2.8Ghz dual core Celeron with 2Gb ram. Based on what i have read on PFsense i more or less know that the specs on the box should suffice, so i dont think changing the encryption from 3des to aes 128 would make much of a difference, still any advice would be highly appreciated.

      1 Reply Last reply Reply Quote 0
      • jimp
        jimp Rebel Alliance Developer Netgate last edited by

        There could be loads of different reasons this might happen.

        • Make sure both sides are not maxing out their upstream bandwidth
        • Check transfer rate of a file transfer and not an RDP session
        • Do a packet capture and analyze it in wireshark to see what is causing the delay.
        • Try changing the encryption algorithm anyhow as a test
        • Try reducing the WAN-side MTU as a test
        • Check the system graphs to see if there is any kind of a load on the box when transferring data across the tunnel
        • See if you can get some debug info out of the Cisco ASA side
        • Check the ping times across the tunnel
          …
        1 Reply Last reply Reply Quote 0
        • T
          topanaris last edited by

          Actually, RDP works fine from the Pfsense side however when testing from the ASA side that where i experience the slideshow. I can definitively state that it is not a bandwidth or CPU issue on either the ASA or the PFsense box. I will continue to troubleshoot and display my findings here

          1 Reply Last reply Reply Quote 0
          • T
            topanaris last edited by

            Well, I checked all the above and no such luck RDP from the ASA side is still slow. Any more ideas? Thanks for the help thus far.

            1 Reply Last reply Reply Quote 0
            • R
              rsingh last edited by

              I'm working on some similar issues:

              WAN (MTU 1492 MLPPP/ADSL) can do 160kbytes/sec upload
              Through IPSEC it can sustain 20-30kbytes/sec upload
              I've tried all kinds of enc methods and all seem to have the same result.

              Test:

              client -> vpn -> pfsense -> http server :: result 20kbytes/sec transfer
              client -> pfsense -> http server :: result 160kbytes/sec transfer (what i expect)

              CPU usage is below 10% in both tests.

              oddly enough my OPT (MTU 1500) is much better!

              client -> vpn -> pfsense -> http server :: result 110kbytes/sec transfer
              client -> pfsense -> http server :: result 120kbytes/sec transfer

              What's causing this and what can I do to address this on WAN?

              1 Reply Last reply Reply Quote 0
              • T
                topanaris last edited by

                I am out of ideas, I have checked encryption, bandwidth, CPU and MTU and nada, hopefully some of the experts here can post something.

                1 Reply Last reply Reply Quote 0
                • R
                  rsingh last edited by

                  can you tell me what kind of transfer rates you were getting? say ftp or http over the vpn?
                  when you do a tcpdump, do you see a storm of icmp redirects? i do and I'm sure it's not helping anything.

                  one end point that i have is a 300mhz, 256mb amd k6 cpu however it barely every reaches over 50% CPU usage

                  1 Reply Last reply Reply Quote 0
                  • R
                    rsingh last edited by

                    after changing my WAN MTU from 1492 to 1500 I can upload from the http server to the client at 140kbytes/sec or so. this line has a max of about 160kbytes/sec. because it's mlppp and not just straight pppoe, i'm able to work with an mtu of 1500 - i think the max would be around 1486 * 2 = 2972.

                    if the client is sending to the http server it's still pretty slow, even when everyone is at 1500byte mtus.
                    i'll keep at it but the MTU hint from jimp at least corrects the problem in one direction.

                    1 Reply Last reply Reply Quote 0
                    • R
                      rsingh last edited by

                      i previously had 1.2.3-rc1 connecting to a 2.0 box. after upgrading the old version to 2.0 I now get a consistent 50kbytes/sec which is a slight improvement but no where near where it could be.

                      i setup the same versions in an ESXi box. the ESXi system housed 2 pfsense gateways  (including the one doing 50kbytes/sec) and a third system which servered as the vpn client system:

                      real host <-> pfsense A <- vpn -> pfsense B <-> virtual host

                      the real and virtual host can send/receive 5mbytes/sec to eachother… pfsense A is the same system doing 50kbytes/sec with my other host so it's not the config, infact it's a default config. i don't change any phase 1/2 options except the PSK.

                      i'm going to blame this on QoS going on on the shared network connecting to pfsense A which is beyond my control. from the virtual testing and the lack of other people complaining about IPsec, I would hazard a guess that pfsense ipsec is pretty fast.

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post

                      Products

                      • Platform Overview
                      • TNSR
                      • pfSense
                      • Appliances

                      Services

                      • Training
                      • Professional Services

                      Support

                      • Subscription Plans
                      • Contact Support
                      • Product Lifecycle
                      • Documentation

                      News

                      • Media Coverage
                      • Press
                      • Events

                      Resources

                      • Blog
                      • FAQ
                      • Find a Partner
                      • Resource Library
                      • Security Information

                      Company

                      • About Us
                      • Careers
                      • Partners
                      • Contact Us
                      • Legal
                      Our Mission

                      We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                      Subscribe to our Newsletter

                      Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                      © 2021 Rubicon Communications, LLC | Privacy Policy