ScreenOS Firewalls (NOT SRX)
Blogs
Discussion Forums
Programs & Events
turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Reply
Topic Options
mdauer
Visitor
mdauer
Posts: 6
Registered: ‎05-14-2009
0
Accepted Solution

IPSEC VPN really slow on downloads, uploads are fine though

Options

‎05-29-2009 09:37 AM

VPN Gateway: NS5XP, ScreenOS 5.0.0R9

VPN Client: VPN Tracker 4.x or 5.x

VPN Tracker und NS5XP are configured as suggested by equinux.

Local Server: AppleShare Server

 

The Problem is that downloads form the server are really slow while uploads are fine. I tried it from different internet connections, with different computers and two different versions of the VPN client. The problems remain the same, qualitatively, not neccessary quantitatively. I also checked the bandwidth of the internet connection where the 5XP is connected to. 2MBit/s up- and downstream. I've included two diagrams of the transfer rate, one for an upload to the AFS server und one for the download of the same file, respectively. The download shows a much more irregular, erratic behavior, with a much lower average transfer rate. I really don't know what could be the cause of this asymmetry.

 

Any help is appreciated,

Michael

 

Attachment download.gif ‏8 KB
Attachment upload.gif ‏8 KB
Attachment NetScreen-4-EN.pdf ‏2229 KB
Message 1 of 7 (27,612 Views)
 
Reply
Trusted Expert Trusted Expert
Trusted Expert
WL
Posts: 777
Registered: ‎07-26-2008
0

Re: IPSEC VPN really slow on downloads, uploads are fine though

Options

‎05-29-2009 01:07 PM

Did you try "set flow tcp-mss 1300" to see if this helps?
****pls click the button " Accept as Solution" if my post helped to solve your problem****
Message 2 of 7 (27,603 Views)
 
Reply
mdauer
Visitor
mdauer
Posts: 6
Registered: ‎05-14-2009
0

Re: IPSEC VPN really slow on downloads, uploads are fine though

Options

‎05-31-2009 02:20 AM

Thank you.

 

I tried the setting you recommended, but it had no impact on the problem. I lowered the fragment size to a pretty unreasonable 100, but even this did not change the principal situation.

Message 3 of 7 (27,576 Views)
 
Reply
mdauer
Visitor
mdauer
Posts: 6
Registered: ‎05-14-2009
0

Re: IPSEC VPN really slow on downloads, uploads are fine though

Options

‎05-31-2009 08:31 AM

P.S. I tried a Windows (SMB) share also. The problem remained the same, so I conclude that the problem is not protocol related (AppleShare over IP, AFS).

 

Thanks for your efforts,

Michael

 

Message 4 of 7 (27,570 Views)
 
Reply
jimsiff
Visitor
jimsiff
Posts: 3
Registered: ‎12-05-2008
0

Re: IPSEC VPN really slow on downloads, uploads are fine though

Options

‎06-04-2009 11:01 PM

Are there interface errors on either the Juniper or any L2 switches between the server and the ISP demarc?  Is there a duplex mismatch somewhere?  You may want to do a packet capture and analyze in Wireshark or another application.  Follow the TCP flow, look at the graph for periods of packet retransmissions causing repeated TCP slow start.  It could be that there is a problem with the ISP connection.  If you suspect this, the Windows utility called pathping may be useful to determine where packet loss might be occuring.

Message 5 of 7 (27,511 Views)
 
Reply
mdauer
Visitor
mdauer
Posts: 6
Registered: ‎05-14-2009
0

Re: IPSEC VPN really slow on downloads, uploads are fine though

Options

‎06-06-2009 11:02 PM

Thank you!

 

I already noticed a high error count on the untrust interface, but didn't know what to do about it. Following your lead I tried 

set interface untrust phy full

and the performance improved dramatically, I now hit the respective bandwidth limits und the behavior no longer seems erratic. Keep fingers crossed.

 

Sincerely,

Michael

Attachment counters.gif ‏20 KB
Attachment download-upload.gif ‏8 KB
Message 6 of 7 (27,480 Views)
 
Reply
contra
Contributor
contra
Posts: 11
Registered: ‎07-03-2008
0

Re: IPSEC VPN really slow on downloads, uploads are fine though

Options

‎07-01-2009 02:11 PM

I have the same issue almost problem is with accessing  NAS with SMB shares . DS3 connection going out 40 mbps  across the vpn 800kpbs in one direction . either direction i can hit transfers of 31 mbps using iperf but still SMB traffic is slow.
Message 7 of 7 (27,183 Views)
 
Reply
Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.