[VPN] IPsec performance just 55% of WAN bandwidth

Siddhartha Jain losttoy2000 at yahoo.co.uk
Thu Jul 17 14:29:39 EDT 2003 

Or use ftp/http between multiple servers to test the
bandwidth. That is fire, say ftp, from 3-4 servers
simultaneosuly.


 --- "Dana J. Dawson" <djdawso at qwest.com> wrote: >
What kind of ping response times are you seeing
> across the VPN (use the smallest 
> ping size you can for this test)?  The reason I ask
> is that it's possible you're 
> seeing a TCP Windowing throughput limitation.  With
> a TCP window size of 17.5 
> KBytes (a common MS Windows TCP Window size), a
> round trip time of around 83 
> msecs will limit any single TCP session to 1.68
> Mbits/sec.  With the older 8760 
> Byte window size (used in older versions of Windows
> NT), the round trip time 
> that limits you to 1.68 Mbits/sec drops to about 42
> msec.  If your ping times 
> are in this range, then you may be seeing this
> limit.  If they're significantly 
> shorter than this, then this is not the problem.  By
> the way, the formula for 
> computing this is:
> 
>     Round_Trip_Time = Window_Size / Max_Throughput
> 
> where the Round_Trip_Time is in seconds, Window_Size
> is in bits (Bytes * 8), and 
> Max_Throughput is in bits/second.
> 
> HTH
> 
> Dana
> 
> -- 
> 
> Dana J. Dawson                     djdawso at qwest.com
> Senior Staff Engineer              CCIE #1937
> Qwest Communications               (612) 664-3364
> 600 Stinson Blvd., Suite 1S        (612) 664-4779
> (FAX)
> Minneapolis  MN  55413-2620
> 
> "Hard is where the money is."
> 
> 
> 
> Ryan Malayter wrote:
> 
> > We have an IPsec tunnel set up between two sites.
> The physical layer
> > in-between VPN endpoints consists of one 2xT1
> multiplexed link, followed
> > by three hops on our ISP's OC-192 backbone. One
> side has a Sonicwall
> > Pro-VX device, the other has a Nokia Checkpoint
> FW-1 appliance. Both
> > have triple-DES hardware assist and are rated at
> much higher speeds than
> > my link for VPN throughput.
> > 
> > We've tested unencrypted speed, and we get about
> 2.8 Mbps aggregate via
> > HTTP or FTP over the link. However, when testing
> both HTTP and FTP
> > between two servers via the VPN tunnel, I
> consistently get just 1.68
> > Mbps in wither direction. I have tested multiple
> servers on both ends,
> > at different (low-traffic) times of day.
> > 
> > I'm wondering if this is a packet size or
> fragementation issue. I cannot
> > seem to find a way to adjust FTP packet size on
> either end (both are
> > Windows 2000 servers). The largest ping I can get
> through the tunnel is 
> >      ping -l -1418
> > which I think would be a 1446-byte packet.
> > 
> > Any ideas on how I should proceed diagnosing this
> performance issue?
> > Neither the Sonicwall nor the Nokia device seem to
> have good diagnostic
> > tools built-in.
> > 
> > Thank you for your help,
> > 
> > Ryan Malayter
> > Sr. Network & Database Administrator
> > Bank Administration Institute
> > Chicago, Illinois, USA
> > PGP Key: http://www.malayter.com/pgp-public.txt
> > :::::::::::::::::::::::::::::::
> > Never argue with idiots. They drag you down to
> their level,
> > and then beat you with experience.
> > _______________________________________________
> > VPN mailing list
> > VPN at lists.shmoo.com
> > http://lists.shmoo.com/mailman/listinfo/vpn
> > 
> > 
> 
> _______________________________________________
> VPN mailing list
> VPN at lists.shmoo.com
> http://lists.shmoo.com/mailman/listinfo/vpn 

________________________________________________________________________
Want to chat instantly with your online friends?  Get the FREE Yahoo!
Messenger http://uk.messenger.yahoo.com/

More information about the VPN mailing list