topic Re: Slow network performance via VPN. in Firewall and Security Management

Slow network performance via VPN.

KomisarzRyba — Thu, 22 May 2025 11:17:55 GMT

Hello overyone,

I'm looking for a tool or way to diagnose slow network performance via VPN.
I have 2 gateways connected by VPN S2S. The problem is the long file download times between locations. Files from the Internet are downloaded quickly, so it's probably a VPN problem.

Any ideas? Thanks in advance for your advice.

Re: Slow network performance via VPN.

Henrik_J — Thu, 22 May 2025 14:05:59 GMT

What encryption are you using in phase 2?

Check Point appliances work better with AES due to AES NI CPU Instruction set with the Intel CPUs.

So if you are using 3DES (for whaever reason), change to AES128 at the very least.

Maybe there are other blades being applied to this traffic as well.
If I ever suspect that DPI may be the issue, try fast accelerating it to see if this alleviates the issues (on both FWs).
https://support.checkpoint.com/results/sk/sk156672

This is only to check if it's a VPN or DPI performance issue, it's up to you to keep this permanent or not.
Fast_acceleration disables all form of security blades (except firewall), so not recommended generally unless the traffic is 100 % trusted.

What are the "download protocols" ?
I assume it's HTTPS from the internet, but maybe it's CIFS / SMB over the tunnel?
Different blades with varying performance impact may be applied depending on the protocol.

Re: Slow network performance via VPN.

Timothy_Hall — Thu, 22 May 2025 12:35:51 GMT

Generally this is due to the use of slow VPN algorithms, or a low MTU between the two VPN peers. Here are the relevant pages from my Gateway Performance Optimization Course that you should find helpful:

Re: Slow network performance via VPN.

the_rock — Thu, 22 May 2025 13:06:51 GMT

I agree with the guys, seen that be an issue before.

Andy

Re: Slow network performance via VPN.

KomisarzRyba — Fri, 23 May 2025 07:47:52 GMT

Thank you very much for your tips.
The encryption in my VPN community looks like this:
- phase 1
Encryption Algorithm: aes-128
Data Integrity: sha256

-phase 2
Encryption Algorithm: aes-gcm-128
Data Integrity: sha1

What do you think should be changed? In phase 2 Encryption Algorithm on aes-128? And Data Integrity on sha256?
Will changing encryption break VPN connections?

Re: Slow network performance via VPN.

Timothy_Hall — Fri, 23 May 2025 12:50:04 GMT

Your algorithm selection is fine, probably a low MTU issue.