topic Re: Endpoint Security VPN network performance in SASE and Remote Access

Endpoint Security VPN network performance

jakmic — Fri, 28 Apr 2023 09:03:47 GMT

Hello,

We have problem with data transfer performance via VPN in our lab environment.

Topology:

Cluster of 2 VM Gateways

Windows VPN client

MacOS ssh server

When we are transferring data over LAN (between two networks) speed of 3GB file transfer is some about 200Mbps

When we are transferring data over VPN speed of 3GB file transfer is some about 20Mbps (WinSCP)

Lab environment hasn't any performance problems (CPU of active gateway is about 5%)

WAN network is 1Gbps/1Gbps on every site.

ESP: AES-256 + SHA256 (we tried lower security algorithms, but nothing changes)

Scheme: IKE

How can we increase VPN network performance

Re: Endpoint Security VPN network performance

Ruan_Kotze — Fri, 28 Apr 2023 09:19:24 GMT

There's a couple of unknowns here - but sk105119 would be your best starting point.

Also make sure AES-NI is enabled on the processor level (since you're running OpenServer / VM) otherwise AES-256 will not be accelerated.

Thanks,
Ruan

Re: Endpoint Security VPN network performance

Chris_Atkinson — Sat, 29 Apr 2023 00:57:09 GMT

Which client version are you using E86.60 or higher?

(Client side AES-NI support was introduced here)

Re: Endpoint Security VPN network performance

PhoneBoy — Sat, 29 Apr 2023 00:39:38 GMT

What version of gateway?
Cores/memory allocation for the VM?
R81.20 might have better performance in this regard due to some internal changes.

Re: Endpoint Security VPN network performance

jakmic — Thu, 04 May 2023 09:44:27 GMT

E86.50

Re: Endpoint Security VPN network performance

jakmic — Thu, 04 May 2023 09:50:13 GMT

2 Cores, Memory 4GB

R81.10 JB Take 87

Re: Endpoint Security VPN network performance

jakmic — Thu, 04 May 2023 09:54:30 GMT

I neet to check, because VM is running on our Data Center solution - For now, I don't know hardware specification on backend

Re: Endpoint Security VPN network performance

jakmic — Thu, 04 May 2023 10:05:44 GMT

Yes, there is AES flag recognized by Checkpoint VM

Re: Endpoint Security VPN network performance

AndreiR — Thu, 04 May 2023 13:05:44 GMT

Hi @jakmic ,

Take the latest version E87.20. It has multiple improvements comparing to E86.50:

It has AES-NI support on client side
It has new and improved VPN driver
It has experimental flag which may also help:
In the registry set the following value:
[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\TRAC]
"disable_threaded_ipsec"=dword:00000000

Besides that make sure logging level in the client is set to Basic. Extended mode significantly consumes performance.

I'm not sure 2 Cores + 4Gb RAM is sufficient for R81.10 gateway. Which hardware do you use for VPN client? There more powerful device you use for testing the higher performance you should get.

Re: Endpoint Security VPN network performance

PhoneBoy — Thu, 04 May 2023 19:26:28 GMT

Those are bare minimum system requirements for a gateway.
You'll definitely want to allocate additional cores and RAM if performance is a concern.

Re: Endpoint Security VPN network performance

jakmic — Tue, 09 May 2023 08:08:27 GMT

For Test environment and one VPN user I think is enough 🙂

I went by your proposition and check load on gateway and client computer

During transfer GW had some about 64% in peaks and average 20% , but our client site had 100% (i5-5300U)

On newer Endpoint VPN Client (E87.20) we received 50% faster transfer (30-35Mbps) so @AndreiR thank you 🙂

We took newer client hardware (i7-12700H) and tried again - now transfers are optimistic - some about 320Mbps (10x more) - CPU load about 20-23% during transfer

Now I have a question, there is any solution to optimize client Endpoint Security VPN on older hardware?

From another side, when you go to https://www.checkpoint.com/quantum/remote-access-vpn/#downloads (look like main point to download client) you will receive older version (E86.50_CheckPointVPN.msi)

Re: Endpoint Security VPN network performance

Chris_Atkinson — Tue, 09 May 2023 11:52:52 GMT

Trying different encryption algorithms might be at the expense of security.

I've asked internally for the website links sighted above to be updated.

Re: Endpoint Security VPN network performance

PhoneBoy — Tue, 09 May 2023 22:50:20 GMT

In terms of optimizing performance on older computers, there's not much that can be done at this time.

Re: Endpoint Security VPN network performance

PhoneBoy — Wed, 10 May 2023 16:14:31 GMT

The E87.xx releases do not have a "recommended" release yet, which is probably why it's not linked directly from checkpoint.com