topic Re: Slow download site-to-site VPN in Firewall and Security Management

Slow download site-to-site VPN

Tomas3miasto — Tue, 26 Nov 2024 07:49:38 GMT

We have had a problem downloading files via a VPN tunnel for some time now.
When I download a file from the headquarters to our office, our speed is about 15MB/s (sometimes more at startup, but after a while, it drops).
If I were uploading the same file (I am testing on a 1GB file) to the headquarters, the speed would be about 50MB/s.

Has anyone had a similar case?
I'm trying to diagnose it but so far without success.

Tomasz

Re: Slow download site-to-site VPN

Lesley — Tue, 26 Nov 2024 08:16:29 GMT

Site to site? Or client vpn? What encryption methods are used? Make sure not to use for example slow performance methods like 3des. What blades are enabled on the gateway

Re: Slow download site-to-site VPN

Tomas3miasto — Tue, 26 Nov 2024 08:34:44 GMT

site to site. Meshed Community

I have disabled almost all blades on my site. Now I have fw, vpn, anti_bot

Re: Slow download site-to-site VPN

Lesley — Tue, 26 Nov 2024 11:35:32 GMT

Try to move away from md5 and 3des not secure and cpu intens. Then test again. Could also be software bug what is cpinfo -y all output?

Re: Slow download site-to-site VPN

the_rock — Tue, 26 Nov 2024 13:42:59 GMT

I would refer to below sk.

Andy

https://support.checkpoint.com/results/sk/sk73980

Re: Slow download site-to-site VPN

Timothy_Hall — Tue, 26 Nov 2024 15:05:47 GMT

Almost certainly a sub-1500 MTU somewhere in your network path between the peers, see:

sk98074: MTU and Fragmentation Issues in IPsec VPN

Command tracepath run from one peer to the other can be used to confirm a low MTU is present.

Re: Slow download site-to-site VPN

Tomas3miasto — Wed, 27 Nov 2024 09:05:11 GMT

Here is my cpinfo -y all

[Expert@pl-fw-1:0]# cpinfo -y all

This is Check Point CPinfo Build 914000248 for GAIA
[MGMT]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
[IDA]
No hotfixes..
[CPFC]
No hotfixes..
[FW1]
HOTFIX_R81_20_JHF_T89_721_MAIN
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_R81_20_JHF_T54_BLOCK_PORTAL_MAIN Take: 2
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 039
kernel: R81.20 - Build 001
[SecurePlatform]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
HOTFIX_ENDER_V17_AUTOUPDATE
[CPinfo]
No hotfixes..
[PPACK]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
[AutoUpdater]
HOTFIX_INFRA_CONFIG_AUTOUPDATE
[DIAG]
No hotfixes..
[CVPN]
HOTFIX_ESOD_SWS_AUTOUPDATE
HOTFIX_ESOD_SCANNER_AUTOUPDATE
HOTFIX_ESOD_CSHELL_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
[CPUpdates]
BUNDLE_INEXT_NANO_EGG_AUTOUPDATE Take: 13
BUNDLE_R81_20_JHF_T54_BLOCK_PORTAL_MAIN Take: 2
BUNDLE_INFRA_CONFIG_AUTOUPDATE Take: 5
BUNDLE_CPOTLPAGENT_AUTOUPDATE Take: 50
BUNDLE_QUID_AUTOUPDATE Take: 14
BUNDLE_R80_40_MAAS_TUNNEL_AUTOUPDATE Take: 60
BUNDLE_CORE_FILE_UPLOADER_AUTOUPDATE Take: 23
BUNDLE_GOT_TPCONF_AUTOUPDATE Take: 128
BUNDLE_ESOD_SWS_AUTOUPDATE Take: 14
BUNDLE_ESOD_SCANNER_AUTOUPDATE Take: 10
BUNDLE_GENERAL_AUTOUPDATE Take: 21
BUNDLE_INFRA_AUTOUPDATE Take: 67
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 27
BUNDLE_ESOD_CSHELL_AUTOUPDATE Take: 20
BUNDLE_ENDER_V17_AUTOUPDATE Take: 26
BUNDLE_CPVIEWEXPORTER_AUTOUPDATE Take: 40
BUNDLE_CPOTELCOL_AUTOUPDATE Take: 129
BUNDLE_R81_20_JUMBO_HF_MAIN Take: 89
BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE Take: 21
BUNDLE_HCP_AUTOUPDATE Take: 76
BUNDLE_CPSDC_AUTOUPDATE Take: 34
[cpsdc_wrapper]
HOTFIX_CPSDC_AUTOUPDATE
[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE
[CPDepInst]
No hotfixes..
[CPotelcol]
HOTFIX_OTLP_GA
[CPviewExporter]
HOTFIX_OTLP_GA
[core_uploader]
HOTFIX_CHARON_HF
[CPquid]
HOTFIX_QUID_AUTOUPDATE
[CPotlpAgent]
HOTFIX_OTLP_GA

I changed my configuration to the one recommended by @Timothy_Hall

Now uploading is better - up to 100MB/s but downloading from 3MB/s to 30Mb/s - sine wave

but from another place it is much better - about 50MB

Re: Slow download site-to-site VPN

Tomas3miasto — Wed, 27 Nov 2024 09:41:40 GMT

I did tracepath but i got no reply from all hops

tracepath 10.2.0.240
1?: [LOCALHOST] pmtu 1500
1: no reply
2: no reply
3: no reply
4: no reply
5: no reply
6: no reply
7: no reply
8: no reply
9: no reply
10: no reply
11: no reply
12: no reply
13: no reply
14: no reply
15: no reply
16: no reply
17: no reply
18: no reply
19: no reply
20: no reply
21: no reply
22: no reply
23: no reply
24: no reply
25: no reply
26: no reply
27: no reply
28: no reply
29: no reply
30: no reply
31: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500

Re: Slow download site-to-site VPN

Tomas3miasto — Wed, 27 Nov 2024 10:26:29 GMT

Hi i run tracepath but I got no reply from all hops

Too many hoops: pmtu 1500

Resume: pmtu 1500

Re: Slow download site-to-site VPN

the_rock — Wed, 27 Nov 2024 11:51:06 GMT

Is it different if you change mtu size to something else?

Andy

Re: Slow download site-to-site VPN

Lesley — Wed, 27 Nov 2024 12:06:18 GMT

Would recommend to change the md5 to something more secure and performing

Re: Slow download site-to-site VPN

the_rock — Wed, 27 Nov 2024 12:16:00 GMT

@Tomas3miasto Here is something to consider though when changing MTU. So, as Im sure you might be aware, smaller MTU size means more smaller packats, but bigger mtu size means less amount of bigger packets.

In general, a larger MTU size is better because it reduces overhead and improves throughput. However, there are some cases where a smaller MTU size is better, such as for high speed interfaces.

Andy

Re: Slow download site-to-site VPN

ishuyell — Wed, 27 Nov 2024 14:57:55 GMT

You can also check sk165853 if this applies.

Re: Slow download site-to-site VPN

the_rock — Thu, 28 Nov 2024 12:43:01 GMT

Can you please list all the things you tried so far, so we can at least eliminate those as being possibilities for this issue?

Andy

Re: Slow download site-to-site VPN

Tomas3miasto — Mon, 02 Dec 2024 07:48:22 GMT

I checked at first netstat -ni and found Rx dropped and RX overruns on eth1 and eth5

I increased rx-ringsize first to 2048 and then to 4096.

Now there are no drops but it did not helped

second - I run fwaccel stats -s

I tried to reduce the F2F traffic - now there is about 12%

third - I disabled almost all blades.

fourth - Changed encryption settings

fifth - increased /decreased MTU ( try 1410,1480, 9000)

I also checked sk165853 but it looks ok

I also use this manual - sk61221 - Issues requiring adjustment of the Maximum Segment Size (MSS) of TCP SYN and TCP SYN-ACK packets on Security Gateway

Now

fw_clamp_tcp_mss=1

no improvement in sight or only upload

I decided to order an MTR test between these two sites from ISP

Tomek

Re: Slow download site-to-site VPN

Lesley — Mon, 02 Dec 2024 09:42:35 GMT

Good to see you take the advise serious.

one question for this site to site you have 2 gateways right? Are both in control by you? If not maybe the other gateway needs to be checked.

Re: Slow download site-to-site VPN

the_rock — Mon, 02 Dec 2024 12:31:44 GMT

So is it any better now after all those changes or more less the same?

Andy

Re: Slow download site-to-site VPN

Tomas3miasto — Mon, 02 Dec 2024 13:09:11 GMT

Hi Andy

Download more less the same but upload to Sweden is better

Re: Slow download site-to-site VPN

Tomas3miasto — Mon, 02 Dec 2024 13:10:52 GMT

Hi Lesley.

Yes, I will check the gateway on the second site today or tomorrow evening

Re: Slow download site-to-site VPN

Lesley — Mon, 02 Dec 2024 13:40:17 GMT

Let’s see what is outcome from that gateway maybe that is the (new) bottleneck