Looking for a push in the right direction with my VPN.... (fw d)

Biggerstaff, Craig Craig.Biggerstaff at CSOCONLINE.COM
Wed Aug 2 09:47:48 EDT 2000


Sounds like a MTU (Maximum Transmissible Unit) problem to me.  Tunneling
VPNs encrypt the original packet contents and encapsulate them in a new
packet with new headers for transport to the other end of the tunnel.  This
process invariably increases the size of each packet transported.

The default MTU on most systems for Ethernet LANs is 1500 bytes.  Routers
generally default to allow larger MTUs, but this is configurable too.  If
your VPN is set to a 1500 byte MTU, it will fragment every packet that
passes through it.  Up the MTU to, say, 1600, and see if that fixes the
problem.  If it doesn't, check your routers to see if they have been set to
limit the MTU allowed.


-- Craig

> -----Original Message-----
> From: Tina Bird [mailto:tbird at PRECISION-GUESSWORK.COM]
> Sent: Tuesday, August 01, 2000 1:16 PM
> To: VPN at SECURITYFOCUS.COM
> Subject: Looking for a push in the right direction with my
> VPN.... (fwd)
>
>
> Hi all -- Any help with Tobin's problem greatly
> appreciated...
>
> ---------- Forwarded message ----------
> Date: Tue, 1 Aug 2000 14:20:45 -0400
> From: Tobin Craig <tcraig at Swales.com>
> To: tbird at precision-guesswork.com
> Subject: Looking for a push in the right direction with my VPN....
>
> Hi Tina,
>
> I'm wrestling with a fledgling VPN configuration on my
> network, and I hope
> you can help.
>
> We are experiencing a performance drop every time we try to
> use our VPN.  To
> illustrate this, we moved an 82 MB file directly over our
> LAN, taking 30
> seconds.  By connecting to our VPN server, again over the
> LAN, and moving
> the same file, the process took 5 minutes 30 seconds.  Dialing into an
> independent ISP and then establishing the VPN connection took
> even longer.
>
> Our VPN server is running NT, SP6, and Microsoft PPTP
> protocol.  We are
> connecting to it via a Pentium 450 Laptop running NT, SP 6,
> using RAS.  We
> have checked the processor loads on both machines, neither
> one is breaking a
> sweat during the copy process.
>
> Our VPN server is on its own node on our Checkpoint firewall.
>  All traffic
> destined for it passes through the firewall, is sent to the
> VPN server, is
> passed back through the firewall, and then is sent to its
> destination again.
> We have determined that the firewall is not posing a problem,
> since the
> performance degradation is consistent if the traffic is generated from
> within or from outside the firewall.
>
> Do you have any suggestions about what I can do to improve
> the performance
> of this arrangement?  It is currently giving us the same level of
> performance as our 28.8 modems!
>
> Thanks for any help or advice you might have,
>
> Tobin Craig
>
> Network Security Administrator
> Swales Aerospace
> Beltsville, MD
> 20705
>
> http://www.swales.com
>

VPN is sponsored by SecurityFocus.COM




More information about the VPN mailing list