Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

CISCO Hardware VPN Client Impact on Throughput

From: Wade Burgett <wadeb () burgettsys com>
Date: Wed, 27 Aug 2003 22:36:56 -0700
Hi, I'm trying to track down the cause of some performance problems wwith a CISCO VPN. The client side is using the CISCO VPN 3002 Hardware Client, and the Server end is a CISCO VPN Concentrator (no model number yet - I'm consultant just for the client end).
I'm seeing a pretty big hit on the throughput of the VPN. Wondering if this is normal for a CISCO VPN or this hardware. It seems very large - I get much better results from the high-overhead ssh-ppp vpns on Linux/Solaris I setup for myself. 
-----------------------------------------------
The Questions
--------------------------------------------------
1) Wondering if the performance hit I'm seeing is normal for this configuration (ie - tell the client to cry in their beer and live with it). About 13Kbps of a 43 Kbps connection is lost through the VPN.
2) If performance hit is not normal - what should I try - I'm planning a series of MTU experiments, lowering it, turning off PMTU and changing the way packets are fragmented (before, after IPSEC). I know this system was setup by high paid consultants (which is me too I guess) and I've found quite a bit of traffic talking about consultants blocking the PMTU ICMP ports. However, if there is some other explanation I'd be happy to hear about anything that I might try, or secret red buttons that I have not pushed. 

-------------------------------
The Background Data
--------------------------------------------
I'm seeing about a 13KB/s hit on 43KB/s connection. That just can't be right somehow I'm thinking. Client applications (Lotus Notes mostly) are taking even bigger hits (2.5-3x longer to get an email attachment through Lotus than to get via the web not through VPN). 
My current guess as to cause is MTU and maybe interaction between MTU


        Size    Start   Stop    Time    Throughput  KB/s        
No VPN  958k    19:24:41        19:25:03        00:00:22        43.72   
No VPN  958k    19:25:03        19:25:26        00:00:22        42.23   
No VPN  958k    19:25:26        19:25:48        00:00:23        43.84   
No VPN  958k    19:25:48        19:26:11        00:00:22        43.54   
No VPN  958k    19:26:11        19:26:33        00:00:23        43.68   
No VPN  958k    19:26:33        19:26:56        00:00:22        43.64   
                                                
avg throughput 43.44

Lxxxxx VPN      958k    20:13:17        20:13:52        00:00:35        27.86
Lxxxxx VPN      958k    20:13:52        20:14:23        00:00:35        31.12   
Lxxxxx VPN      958k    20:14:23        20:14:55        00:00:31        30.73   
Lxxxxx VPN      958k    20:14:55        20:15:25        00:00:32        32.66   
Lxxxxx VPN      958k    20:15:25        20:15:55        00:00:30        32.28   
Lxxxxx VPN      958k    20:15:55        20:16:29        00:00:30        29.13   

avg throughput  30.63

Thanks.

Wade



--
Wade Burgett
wadeb () burgettsys com
(512)-796-7070
(503)-756-5633

Burgett Systems
http://www.burgettsys.com

ELIMINATE EMAIL VIRUSES - Use Linux

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: