Screen OS

last person joined: 8 months ago 

This is a legacy community with limited Juniper monitoring.

  • 1.  IPSEC VPN really slow on downloads, uploads are fine though

    Posted 05-29-2009 09:38

    VPN Gateway: NS5XP, ScreenOS 5.0.0R9

    VPN Client: VPN Tracker 4.x or 5.x

    VPN Tracker und NS5XP are configured as suggested by equinux.

    Local Server: AppleShare Server

     

    The Problem is that downloads form the server are really slow while uploads are fine. I tried it from different internet connections, with different computers and two different versions of the VPN client. The problems remain the same, qualitatively, not neccessary quantitatively. I also checked the bandwidth of the internet connection where the 5XP is connected to. 2MBit/s up- and downstream. I've included two diagrams of the transfer rate, one for an upload to the AFS server und one for the download of the same file, respectively. The download shows a much more irregular, erratic behavior, with a much lower average transfer rate. I really don't know what could be the cause of this asymmetry.

     

    Any help is appreciated,

    Michael

     


    #download
    #AppleShare
    #ip
    #IPSec
    #over
    #Slow
    #AFS

    Attachment(s)

    pdf
    NetScreen-4-EN.pdf   2.18 MB 1 version


  • 2.  RE: IPSEC VPN really slow on downloads, uploads are fine though

    Posted 05-29-2009 13:08
    Did you try "set flow tcp-mss 1300" to see if this helps?


  • 3.  RE: IPSEC VPN really slow on downloads, uploads are fine though

    Posted 05-31-2009 02:21

    Thank you.

     

    I tried the setting you recommended, but it had no impact on the problem. I lowered the fragment size to a pretty unreasonable 100, but even this did not change the principal situation.


    #vpn
    #Fragmentation


  • 4.  RE: IPSEC VPN really slow on downloads, uploads are fine though

    Posted 05-31-2009 08:31

    P.S. I tried a Windows (SMB) share also. The problem remained the same, so I conclude that the problem is not protocol related (AppleShare over IP, AFS).

     

    Thanks for your efforts,

    Michael

     



  • 5.  RE: IPSEC VPN really slow on downloads, uploads are fine though
    Best Answer

    Posted 06-04-2009 23:02

    Are there interface errors on either the Juniper or any L2 switches between the server and the ISP demarc?  Is there a duplex mismatch somewhere?  You may want to do a packet capture and analyze in Wireshark or another application.  Follow the TCP flow, look at the graph for periods of packet retransmissions causing repeated TCP slow start.  It could be that there is a problem with the ISP connection.  If you suspect this, the Windows utility called pathping may be useful to determine where packet loss might be occuring.



  • 6.  RE: IPSEC VPN really slow on downloads, uploads are fine though

    Posted 06-06-2009 23:03

    Thank you!

     

    I already noticed a high error count on the untrust interface, but didn't know what to do about it. Following your lead I tried 

    set interface untrust phy full

    and the performance improved dramatically, I now hit the respective bandwidth limits und the behavior no longer seems erratic. Keep fingers crossed.

     

    Sincerely,

    Michael



  • 7.  RE: IPSEC VPN really slow on downloads, uploads are fine though

    Posted 07-01-2009 14:12
    I have the same issue almost problem is with accessing  NAS with SMB shares . DS3 connection going out 40 mbps  across the vpn 800kpbs in one direction . either direction i can hit transfers of 31 mbps using iperf but still SMB traffic is slow.