Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
George_Ellis
Contributor

VPN client slows upload to 1%!

Hi folks,

I have an open case on SmartConsole dropping my connections.  While investigating, I found something rather disturbing.  We split tunnel.  I am on AT&T "1gb" internet fiber.  Normally, my upload in speed tests runs about 150+mbps.  When I connect the IPSec VPN client, my upload rate drops below 1mbps on the internet side and inside the tunnel (verified by another member in our group).  The virtual adapter says it is at 1gbps.  I have tried this on both wired and wireless (diff adapter stacks, but same family, Realtek.)  Download speed remains above 300mbps.

Has anyone solved for this in the past?

0 Kudos
5 Replies
Vladimir
Champion
Champion

Are you using Endpoint client for remote access only?

Are there any other client-side security solutions installed that may be trying to proxy your traffic via IPSec?

0 Kudos
George_Ellis
Contributor

Yes, using the endpoint client only as remote access.  I just found that we are investigating if Zscaler's client is causing latency in another case, so that may be the issue.  We just recently deployed it.

0 Kudos
Vladimir
Champion
Champion

Can you temporarily uninstal the Zscaler from your endpoint and test upload speeds from it via both legs of split tunnel?

0 Kudos
George_Ellis
Contributor

Once, but then I won't work there anymore.  🙂  It is inside our team, so we are working it now.  Just discovered after I posted when the Zscaler lead said they were working a problem.  Light bulb.  Extra proxy layer.

 

0 Kudos
Timothy_Hall
Champion
Champion

Let me guess, if you use HTTPS/TLS as the VPN transport instead of IPSec, performance is just great.

You have a low MTU in your network path somewhere, or somehow the VPN client is affecting the MTU when it is active.  The symptom of this is terrible performance due to packet loss because of the inability to fragment IPSec traffic due to the DF bit being set. 

To verify, run netstat -sv in Windows and note the counters associated with IP frags and TCP segment retransmissions.  Initialize the VPN tunnel with IPSec and start a big TCP-based upload.  Which frag/retransmit counters in the netstat -sv output jump?  This should give you some idea of where to look.

"Max Capture: Know Your Packets" Video Series
now available at http://www.maxpowerfirewalls.com
0 Kudos