Solved: Re: Quantum Spark 1600s site-to-site VPN Tunnel sp... - Page 2

rdiaz · ‎2025-08-04

Hello Checkmates,

this is my first time creating a post here. 🙂 Also, I'm fairly new to CheckPoint firewalls. I'm seeing what I consider slow VPN tunnel speed/throughput between sites. All tests i ran (with OpenSpeedTestServer) yield pretty much the same speeds (around 150 to 175 Mbps download and upload). All sites have 1Gbps Internet speeds (expect 2 of them at 500Mbps and 200Mbps, but I don't bother testing those). There are 6 x Quantum Spark 1600s and 2 x 1535 series (the 1535 are connected to the slower ISPs). Azure Vnet is part of the site-to-site as well. I have most of the blades enabled on these firewalls (App control, Identity, URL filtering, IPS, Anti-Bot & Anti-virus). All these are managed by a on-premise management server and the main site has a cluster of 2 x 1600s where the VPN tunnels run from.

These are all up to date running R81.10.x verisons.

my question is, is this the expected perforcemance (around 150 to 175 Mbps download and upload) from these firewalls in a site to site setup?

I come from Cisco ASA 5500x and they were able to reach near the speeds of internet connections of 1Gbps via a site-to-site connection.

Any guidance is welcome and appreciated. thank you in Advance.

the_rock

I definitely would, for sure. But, does not hurt to try what was suggested.

Andy

rdiaz

cool! I will do that sir. thank you!

the_rock

Andy is fine, sir makes anyone feel too old haha.

Andy

rdiaz

haha, gotcha Andy. 🙂

G_W_Albrecht · ‎2025-08-05

Threath Prevention: Disable the TP blades (only for a very short time!), test and compare thruput

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

rdiaz · ‎2025-08-05

Thank you, I will try this as well tonight. 🙂

the_rock · ‎2025-08-05

rdiaz · ‎2025-08-05

cool, I will turn it off as in the screenshot. Side quesiton, for the R82 Clean install and upgrade, that doesn't wipe out my configuration on the Smart-1 server (I have one on-premise) right?

the words "Clean Install" makes me thing it's wiping everyting and start fresh. lol

the_rock · ‎2025-08-05

Correct.

rdiaz

UPDATE (for future people who might run into this issue): After following @the_rock link regarding the encryption (https://support.checkpoint.com/results/sk/sk73980) I changed my VPN Tunnel Encryption to the fastest based on the link just provdied (AES-128, MD5, Group 2 (1024 bit) respectively. This yielded an increase from 150Mbps/175Mbps to 250Mbps download/upload. I was hoping for better, but an improvement, it's better than nothing. 🙂

A couple of days later I decided to open a TAC as per suggested by @the_rock in this post. We spent several hours doing a tcpdump/package capture to see if there's anything amiss, but nothing came out of that, everything was working as expected. The TAC tech folks said this was pretty good speeds for those SMB firewalls. So left it alone. That same evening, decided to update all the firewalls to the latest verison from R81.10.10 to R81.10.17.

After doing this, to my surprice, I had gain yet another boost. Now i'm getting consistently 400+ Mbps download/upload!

What gives? I'm not sure if it was the reboot of the firewall after the Encryption changes or the update to R81.10.17 (or a combination of both). the fact is, now i'm getting acceptable speeds in by site-to-sites. that's about 50% fo the link speed which i'm happy about.

Thank you all who provided guidance and assisted me in this one, what a great community of folks we have here! 🙂
(screenshot of the resutls below)

the_rock

glad we can help 🙂

PhoneBoy

Possible we've improved the single stream TCP throughput by leveraging additional cores for the same stream.
I don't see it mentioned in the release notes, but given those results, seems possible.

Are you a member of CheckMates?

Quantum Spark 1600s site-to-site VPN Tunnel speed/throughput about 150Mbps on 1Gbps link...slow?