SRX Services Gateway
Highlighted
SRX Services Gateway

IP Sec site-to-site VPN Poor performance

‎03-21-2019 03:56 PM

Hello, 

 

I have IP Sec site-to-site VPN between SRX 340. One is in US and another is in India. We have 100M line in India but when we transfer file to US from LAN to LAN it gives on 40-50 Kb/s speed. Can anybody suggest what to do ?

 

Thanks in advance 

 

Regards,
Sagar 

7 REPLIES 7
Highlighted
SRX Services Gateway

Re: IP Sec site-to-site VPN Poor performance

[ Edited ]
‎03-22-2019 02:08 AM

Hello ,

 

What are the IKE/IPSEC parameters , that you are using ? Can you change it to standard and test . Normally IPSEC performance is 1/3rd of the circuit speed . But What your are getting is very low .

Can you check in cleartext what speed do you get in the FTP transfer ?

 

Also you can test the speed by adding this command and check if there is any improvement :

 

#set security flow tcp-mss ipsec-vpn mss 1350

 

 


Thanks,
Sam

Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too .....
Highlighted
SRX Services Gateway

Re: IP Sec site-to-site VPN Poor performance

‎03-22-2019 02:50 AM

I would start by running an iperf test between two nodes on the site through the tunnel.

 

then publish on one site access to the node for your other site and run the same test without the tunnel.

 

Confirm that the problem is in the vpn and not the internet path this way.  There will be some difference but not an enormous one.  

 

If the problem is with the path we will take a different troubleshooting steps than the tunnel.

 

Steve Puluka BSEET - Juniper Ambassador
IP Architect - DQE Communications Pittsburgh, PA (Metro Ethernet & ISP)
http://puluka.com/home
Highlighted
SRX Services Gateway

Re: IP Sec site-to-site VPN Poor performance

[ Edited ]
‎03-25-2019 09:30 AM

Hi Sam, 

 

Thank you so much for your reply. 

 

Here are my IKE and IPSec parameters

 

IKE:
mode main
proposals XYZ
pre-shared-key ascii-text "XXXX"

 

authentication-method pre-shared-keys
dh-group group2
authentication-algorithm md5
encryption-algorithm aes-128-cbc
lifetime-seconds 28800

 

IPSEC:

 

perfect-forward-secrecy keys group2

 

protocol esp
authentication-algorithm hmac-md5-96
encryption-algorithm aes-128-cbc
lifetime-seconds 3600

 

I have checked with clear text but still the same slow speed. 

 

I will add this command and test. 

set security flow tcp-mss ipsec-vpn mss 1350 

Also can you recommend that using 

"set security flow tcp-session no-sequence-check" command will be helpful ?
 

 

Thanks!

Regards,

Sagar

 

 

Highlighted
SRX Services Gateway

Re: IP Sec site-to-site VPN Poor performance

‎03-27-2019 07:06 PM

"set security flow tcp-session no-sequence-check" will be useful for TCP, but is your traffic TCP or UDP?

 

 

Thanks,
Suraj
Please Mark My Solution Accepted if it Helped, Kudos are Appreciated too
Highlighted
SRX Services Gateway

Re: IP Sec site-to-site VPN Poor performance

‎03-27-2019 09:47 PM

Hello Sagar,

 

It appears that you are getting very low throughput irrespective of VPN. You may like to check if the ISP is throttling your bandwidth or the line has any significant drops.

 

If you are not using routing-instances , then you can run "traceroute monitor x.x.x.x" to see the latency/drops at every hop between your VPN peers.

 

Thanks!

Highlighted
SRX Services Gateway

Re: IP Sec site-to-site VPN Poor performance

‎03-29-2019 07:48 AM

Hi, 

 

I used the commonad you gave. Here is the analysis.

 

From India traffic is leaving from Singapore side and there it is having 25% of loss and also when it enters into USA there is 10% of loss. So in total there is 35% of loss in end to end connection. 

 

What to do now ? Shall I report to ISP about it. 

 

Thanks!

Regards,

Sagar Bairagi

 

 

Highlighted
SRX Services Gateway

Re: IP Sec site-to-site VPN Poor performance

‎03-29-2019 10:35 AM

Hello Sagar,

 

If there is 35% drop by the ISP on plain text traffic, there is nothing you can do on SRX to fix it. 

 

I believe you should reach out to your ISP with this evidence asking NOT to throttle your traffic. I am sure they would be putting some kind of trafffic shapers to drop your traffic burst.

 

Thanks! 

Feedback