VPN router/ appliance question

I have a remote office that has a 40x40 fiber connection provided by Level3/ TW Telecom. My other three offices have a privately managed VPN while one office has another circuit, 20x20. All the offices there use that circuity for internet. Internet access is very limited for all the employees and management. I am using an untangled OS on a Dell Poweredge R610. I am using it as a UTM and a gateway.

It can do IPSEC tunnels. I have a tunnel to my remote office using a cisco RV325. The connection is SLOWWWWWW. Would I benefit from using a server an PFSense or untangled? What about buying two cisco ASAs? How do I determine my bottle neck in this case?

I want the VPN for CIFS/SAMBA, to tun an application with SQL at the back end and to talk to VMware's console/ web interface. I know windows file sharing is not a good way to measure throughput. Throughput and latency are both an issue right now. If I ping site to site I get about 20ms over the VPN - if I ping them through the public network I get about 16-18ms. So the latency is not THAT bad. (Odd though, I can ping googles DNS server at both sites and get about 4-8ms in response) One office is in Kenner, LA, the other in Birmingham, AL so not to far apart.

If you do a SMB transfer, what speeds are you seeing?
//Danne

diizzy said:

If you do a SMB transfer, what speeds are you seeing?
//Danne

Click to expand...

It depends on the file type.

It starts at around 100Kb, will spike to 250ish then it will slowly go up to 500Kb (just tested it). I have never seen it go that high but we did just upgrade our pipe here to 40x40 from 20x20. That is pretty agreeable for SMB over a VPN. BUT our citrix sessions are plainly slow sometimes. The citrix servers are not the root cause, though they probably could use an upgrade too!

Sounds like an MTU issue to me.

Nate7311 said:

Sounds like an MTU issue to me.

Click to expand...

Won't the MTU be restricted by the ISPs I am using? I assumed best practice would be to limit it to 1500 as I do not have control over the gateway and any hops in between.

The best way to see if you have a bandwith or connection issue is to set up an iperf server on each side and see what type of bandwidth you're getting. I would also try an iperf connection from each end to one of the public iperf servers to see what type of bandwidth you have to that server. This won't tell you much about bandwidth, but you might be able to detect patterns if there's something like packet loss going on.

I've seen similar issues with the Cisco rv-series, and mtu might be the reason (although I never saw any difference). The question would be how to properly diagnose this and fix it as I'd want to try using our rv016 again in our setup.

#1, the RV042, 082, and 016 series is OLD... Great when they debuted, but way out of date now, hardware and software-wise now. Personally, I'd look at something with at least newer firmware and most likely significantly more horsepower.

Chandler, there wouldn't be a restriction per se, but it does manifest itself as a logical limit with remaining bytes in a standard sized fragmented to the next packet once that limit is reached. IPSEC, PPPOE (DSL) and the like each has its own own packet overhead typically requiring a reduction in MTU for more consistent communication when using protocols that don't like fragmentation. Try this command: Where XXXX is the payload size, Start at 1300 and work your way up the the max before you get a fragmentation error.

Definitely old, but I did a lab test of ipsec vpn throughput to a netgear fvs318n and it still was doing 50Mbits+ in iperf. The problem is that it fell flat when replacing a router that was the hub end of a 2Mbps pipe. I'm now wondering if the mtu setting had to do with that.

mtupath and mturoute seem to be great little windows command line programs for finding the optimal mss/mtu as well.