[fw-wiz] CISCO Hardware VPN Client Impact on Throughput
From: Wade Burgett (wadeb_at_burgettsys.com)
Date: 08/28/03
- Previous message: Carson Gaspar: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: firewall-wizards@honor.icsalabs.com Date: Wed, 27 Aug 2003 22:36:56 -0700
Hi, I'm trying to track down the cause of some performance problems
wwith a CISCO VPN. The client side is using the CISCO VPN 3002 Hardware
Client, and the Server end is a CISCO VPN Concentrator (no model number
yet - I'm consultant just for the client end).
I'm seeing a pretty big hit on the throughput of the VPN. Wondering if
this is normal for a CISCO VPN or this hardware. It seems very large -
I get much better results from the high-overhead ssh-ppp vpns on
Linux/Solaris I setup for myself.
-----------------------------------------------
The Questions
--------------------------------------------------
1) Wondering if the performance hit I'm seeing is normal for this
configuration (ie - tell the client to cry in their beer and live with
it). About 13Kbps of a 43 Kbps connection is lost through the VPN.
2) If performance hit is not normal - what should I try - I'm planning a
series of MTU experiments, lowering it, turning off PMTU and changing
the way packets are fragmented (before, after IPSEC). I know this
system was setup by high paid consultants (which is me too I guess) and
I've found quite a bit of traffic talking about consultants blocking the
PMTU ICMP ports. However, if there is some other explanation I'd be
happy to hear about anything that I might try, or secret red buttons
that I have not pushed.
-------------------------------
The Background Data
--------------------------------------------
I'm seeing about a 13KB/s hit on 43KB/s connection. That just can't be
right somehow I'm thinking. Client applications (Lotus Notes mostly)
are taking even bigger hits (2.5-3x longer to get an email attachment
through Lotus than to get via the web not through VPN).
My current guess as to cause is MTU and maybe interaction between MTU
Size Start Stop Time Throughput KB/s
No VPN 958k 19:24:41 19:25:03 00:00:22 43.72
No VPN 958k 19:25:03 19:25:26 00:00:22 42.23
No VPN 958k 19:25:26 19:25:48 00:00:23 43.84
No VPN 958k 19:25:48 19:26:11 00:00:22 43.54
No VPN 958k 19:26:11 19:26:33 00:00:23 43.68
No VPN 958k 19:26:33 19:26:56 00:00:22 43.64
avg throughput 43.44
Lxxxxx VPN 958k 20:13:17 20:13:52 00:00:35 27.86
Lxxxxx VPN 958k 20:13:52 20:14:23 00:00:35 31.12
Lxxxxx VPN 958k 20:14:23 20:14:55 00:00:31 30.73
Lxxxxx VPN 958k 20:14:55 20:15:25 00:00:32 32.66
Lxxxxx VPN 958k 20:15:25 20:15:55 00:00:30 32.28
Lxxxxx VPN 958k 20:15:55 20:16:29 00:00:30 29.13
avg throughput 30.63
Thanks.
Wade
-- Wade Burgett wadeb@burgettsys.com (512)-796-7070 (503)-756-5633 Burgett Systems http://www.burgettsys.com ELIMINATE EMAIL VIRUSES - Use Linux _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Carson Gaspar: "Re: [fw-wiz] Transparent proxies and PMTUD on the (WWW) serverside"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
