VPN Horrendously Slow
-
Hi, I managed to setup a VPN between my Cisco ASA and PFsense everything works as intended and traffic is traversing the VPN - its just very slow, i mean i am using RDP and its like a slide show. The specs on the PFsense box is 2.8Ghz dual core Celeron with 2Gb ram. Based on what i have read on PFsense i more or less know that the specs on the box should suffice, so i dont think changing the encryption from 3des to aes 128 would make much of a difference, still any advice would be highly appreciated.
-
There could be loads of different reasons this might happen.
- Make sure both sides are not maxing out their upstream bandwidth
- Check transfer rate of a file transfer and not an RDP session
- Do a packet capture and analyze it in wireshark to see what is causing the delay.
- Try changing the encryption algorithm anyhow as a test
- Try reducing the WAN-side MTU as a test
- Check the system graphs to see if there is any kind of a load on the box when transferring data across the tunnel
- See if you can get some debug info out of the Cisco ASA side
- Check the ping times across the tunnel
…
-
Actually, RDP works fine from the Pfsense side however when testing from the ASA side that where i experience the slideshow. I can definitively state that it is not a bandwidth or CPU issue on either the ASA or the PFsense box. I will continue to troubleshoot and display my findings here
-
Well, I checked all the above and no such luck RDP from the ASA side is still slow. Any more ideas? Thanks for the help thus far.
-
I'm working on some similar issues:
WAN (MTU 1492 MLPPP/ADSL) can do 160kbytes/sec upload
Through IPSEC it can sustain 20-30kbytes/sec upload
I've tried all kinds of enc methods and all seem to have the same result.Test:
client -> vpn -> pfsense -> http server :: result 20kbytes/sec transfer
client -> pfsense -> http server :: result 160kbytes/sec transfer (what i expect)CPU usage is below 10% in both tests.
oddly enough my OPT (MTU 1500) is much better!
client -> vpn -> pfsense -> http server :: result 110kbytes/sec transfer
client -> pfsense -> http server :: result 120kbytes/sec transferWhat's causing this and what can I do to address this on WAN?
-
I am out of ideas, I have checked encryption, bandwidth, CPU and MTU and nada, hopefully some of the experts here can post something.
-
can you tell me what kind of transfer rates you were getting? say ftp or http over the vpn?
when you do a tcpdump, do you see a storm of icmp redirects? i do and I'm sure it's not helping anything.one end point that i have is a 300mhz, 256mb amd k6 cpu however it barely every reaches over 50% CPU usage
-
after changing my WAN MTU from 1492 to 1500 I can upload from the http server to the client at 140kbytes/sec or so. this line has a max of about 160kbytes/sec. because it's mlppp and not just straight pppoe, i'm able to work with an mtu of 1500 - i think the max would be around 1486 * 2 = 2972.
if the client is sending to the http server it's still pretty slow, even when everyone is at 1500byte mtus.
i'll keep at it but the MTU hint from jimp at least corrects the problem in one direction. -
i previously had 1.2.3-rc1 connecting to a 2.0 box. after upgrading the old version to 2.0 I now get a consistent 50kbytes/sec which is a slight improvement but no where near where it could be.
i setup the same versions in an ESXi box. the ESXi system housed 2 pfsense gateways (including the one doing 50kbytes/sec) and a third system which servered as the vpn client system:
real host <-> pfsense A <- vpn -> pfsense B <-> virtual host
the real and virtual host can send/receive 5mbytes/sec to eachother… pfsense A is the same system doing 50kbytes/sec with my other host so it's not the config, infact it's a default config. i don't change any phase 1/2 options except the PSK.
i'm going to blame this on QoS going on on the shared network connecting to pfsense A which is beyond my control. from the virtual testing and the lack of other people complaining about IPsec, I would hazard a guess that pfsense ipsec is pretty fast.
