[fw-wiz] CISCO Hardware VPN Client Impact on Throughput

From: Wade Burgett (wadeb_at_burgettsys.com)
Date: 08/28/03

  • Next message: Kilaru Sambaiah: "[fw-wiz] security of private leased lines"
    To: firewall-wizards@honor.icsalabs.com
    Date: Wed, 27 Aug 2003 22:36:56 -0700
    
    

    Hi, I'm trying to track down the cause of some performance problems
    wwith a CISCO VPN. The client side is using the CISCO VPN 3002 Hardware
    Client, and the Server end is a CISCO VPN Concentrator (no model number
    yet - I'm consultant just for the client end).

    I'm seeing a pretty big hit on the throughput of the VPN. Wondering if
    this is normal for a CISCO VPN or this hardware. It seems very large -
    I get much better results from the high-overhead ssh-ppp vpns on
    Linux/Solaris I setup for myself.
    -----------------------------------------------
    The Questions
    --------------------------------------------------

    1) Wondering if the performance hit I'm seeing is normal for this
    configuration (ie - tell the client to cry in their beer and live with
    it). About 13Kbps of a 43 Kbps connection is lost through the VPN.

    2) If performance hit is not normal - what should I try - I'm planning a
    series of MTU experiments, lowering it, turning off PMTU and changing
    the way packets are fragmented (before, after IPSEC). I know this
    system was setup by high paid consultants (which is me too I guess) and
    I've found quite a bit of traffic talking about consultants blocking the
    PMTU ICMP ports. However, if there is some other explanation I'd be
    happy to hear about anything that I might try, or secret red buttons
    that I have not pushed.

    -------------------------------
    The Background Data
    --------------------------------------------
    I'm seeing about a 13KB/s hit on 43KB/s connection. That just can't be
    right somehow I'm thinking. Client applications (Lotus Notes mostly)
    are taking even bigger hits (2.5-3x longer to get an email attachment
    through Lotus than to get via the web not through VPN).
    My current guess as to cause is MTU and maybe interaction between MTU

            Size Start Stop Time Throughput KB/s
    No VPN 958k 19:24:41 19:25:03 00:00:22 43.72
    No VPN 958k 19:25:03 19:25:26 00:00:22 42.23
    No VPN 958k 19:25:26 19:25:48 00:00:23 43.84
    No VPN 958k 19:25:48 19:26:11 00:00:22 43.54
    No VPN 958k 19:26:11 19:26:33 00:00:23 43.68
    No VPN 958k 19:26:33 19:26:56 00:00:22 43.64
                                                    
    avg throughput 43.44

    Lxxxxx VPN 958k 20:13:17 20:13:52 00:00:35 27.86
    Lxxxxx VPN 958k 20:13:52 20:14:23 00:00:35 31.12
    Lxxxxx VPN 958k 20:14:23 20:14:55 00:00:31 30.73
    Lxxxxx VPN 958k 20:14:55 20:15:25 00:00:32 32.66
    Lxxxxx VPN 958k 20:15:25 20:15:55 00:00:30 32.28
    Lxxxxx VPN 958k 20:15:55 20:16:29 00:00:30 29.13

    avg throughput 30.63

    Thanks.

    Wade

    -- 
    Wade Burgett
    wadeb@burgettsys.com
    (512)-796-7070
    (503)-756-5633
    Burgett Systems
    http://www.burgettsys.com
    ELIMINATE EMAIL VIRUSES - Use Linux
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    

  • Next message: Kilaru Sambaiah: "[fw-wiz] security of private leased lines"