This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
George_Ellis
Advisor
‎2021-01-27 04:10 AM

VPN client slows upload to 1%!

Hi folks,

I have an open case on SmartConsole dropping my connections.  While investigating, I found something rather disturbing.  We split tunnel.  I am on AT&T "1gb" internet fiber.  Normally, my upload in speed tests runs about 150+mbps.  When I connect the IPSec VPN client, my upload rate drops below 1mbps on the internet side and inside the tunnel (verified by another member in our group).  The virtual adapter says it is at 1gbps.  I have tried this on both wired and wireless (diff adapter stacks, but same family, Realtek.)  Download speed remains above 300mbps.

Has anyone solved for this in the past?

0 Kudos
5 Replies
Vladimir
Champion
Champion
‎2021-01-27 06:06 AM

Are you using Endpoint client for remote access only?

Are there any other client-side security solutions installed that may be trying to proxy your traffic via IPSec?

0 Kudos
George_Ellis
Advisor
‎2021-01-27 06:22 AM
In response to Vladimir

Yes, using the endpoint client only as remote access.  I just found that we are investigating if Zscaler's client is causing latency in another case, so that may be the issue.  We just recently deployed it.

0 Kudos
Vladimir
Champion
Champion
‎2021-01-27 06:29 AM
In response to George_Ellis

Can you temporarily uninstal the Zscaler from your endpoint and test upload speeds from it via both legs of split tunnel?

0 Kudos
George_Ellis
Advisor
‎2021-01-27 07:03 AM
In response to Vladimir

Once, but then I won't work there anymore.  🙂  It is inside our team, so we are working it now.  Just discovered after I posted when the Zscaler lead said they were working a problem.  Light bulb.  Extra proxy layer.

 

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-01-27 07:04 AM

Let me guess, if you use HTTPS/TLS as the VPN transport instead of IPSec, performance is just great.

You have a low MTU in your network path somewhere, or somehow the VPN client is affecting the MTU when it is active.  The symptom of this is terrible performance due to packet loss because of the inability to fragment IPSec traffic due to the DF bit being set. 

To verify, run netstat -sv in Windows and note the counters associated with IP frags and TCP segment retransmissions.  Initialize the VPN tunnel with IPSec and start a big TCP-based upload.  Which frag/retransmit counters in the netstat -sv output jump?  This should give you some idea of where to look.

Attend my online "Be your Own TAC: Part Deux" CheckMates event
March 27th with sessions for both the EMEA and Americas time zones
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top