I have IP Sec site-to-site VPN between SRX 340. One is in US and another is in India. We have 100M line in India but when we transfer file to US from LAN to LAN it gives on 40-50 Kb/s speed. Can anybody suggest what to do ?
Thanks in advance
What are the IKE/IPSEC parameters , that you are using ? Can you change it to standard and test . Normally IPSEC performance is 1/3rd of the circuit speed . But What your are getting is very low .
Can you check in cleartext what speed do you get in the FTP transfer ?
Also you can test the speed by adding this command and check if there is any improvement :
#set security flow tcp-mss ipsec-vpn mss 1350
I would start by running an iperf test between two nodes on the site through the tunnel.
then publish on one site access to the node for your other site and run the same test without the tunnel.
Confirm that the problem is in the vpn and not the internet path this way. There will be some difference but not an enormous one.
If the problem is with the path we will take a different troubleshooting steps than the tunnel.
Thank you so much for your reply.
Here are my IKE and IPSec parameters
IKE:mode mainproposals XYZpre-shared-key ascii-text "XXXX"
authentication-method pre-shared-keysdh-group group2authentication-algorithm md5encryption-algorithm aes-128-cbclifetime-seconds 28800
perfect-forward-secrecy keys group2
protocol espauthentication-algorithm hmac-md5-96encryption-algorithm aes-128-cbclifetime-seconds 3600
I have checked with clear text but still the same slow speed.
I will add this command and test.
set security flow tcp-mss ipsec-vpn mss 1350
Also can you recommend that using
"set security flow tcp-session no-sequence-check" will be useful for TCP, but is your traffic TCP or UDP?
It appears that you are getting very low throughput irrespective of VPN. You may like to check if the ISP is throttling your bandwidth or the line has any significant drops.
If you are not using routing-instances , then you can run "traceroute monitor x.x.x.x" to see the latency/drops at every hop between your VPN peers.
I used the commonad you gave. Here is the analysis.
From India traffic is leaving from Singapore side and there it is having 25% of loss and also when it enters into USA there is 10% of loss. So in total there is 35% of loss in end to end connection.
What to do now ? Shall I report to ISP about it.
If there is 35% drop by the ISP on plain text traffic, there is nothing you can do on SRX to fix it.
I believe you should reach out to your ISP with this evidence asking NOT to throttle your traffic. I am sure they would be putting some kind of trafffic shapers to drop your traffic burst.