Re: Slow download site-to-site VPN

Tomas3miasto · ‎2024-11-25

We have had a problem downloading files via a VPN tunnel for some time now.
When I download a file from the headquarters to our office, our speed is about 15MB/s (sometimes more at startup, but after a while, it drops).
If I were uploading the same file (I am testing on a 1GB file) to the headquarters, the speed would be about 50MB/s.

Has anyone had a similar case?
I'm trying to diagnose it but so far without success.

Tomasz

Lesley · ‎2024-11-26

Site to site? Or client vpn? What encryption methods are used? Make sure not to use for example slow performance methods like 3des. What blades are enabled on the gateway

-------
If you like this post please give a thumbs up(kudo)! 🙂

Tomas3miasto · ‎2024-11-26

site to site. Meshed Community

Meshed Community.png

I have disabled almost all blades on my site. Now I have fw, vpn, anti_bot

Lesley · ‎2024-11-26

Try to move away from md5 and 3des not secure and cpu intens. Then test again. Could also be software bug what is cpinfo -y all output?

-------
If you like this post please give a thumbs up(kudo)! 🙂

Tomas3miasto · ‎2024-11-27

Hi

Here is my cpinfo -y all

[Expert@pl-fw-1:0]# cpinfo -y all

This is Check Point CPinfo Build 914000248 for GAIA
[MGMT]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
[IDA]
No hotfixes..
[CPFC]
No hotfixes..
[FW1]
HOTFIX_R81_20_JHF_T89_721_MAIN
HOTFIX_INEXT_NANO_EGG_AUTOUPDATE
HOTFIX_R81_20_JHF_T54_BLOCK_PORTAL_MAIN Take: 2
HOTFIX_R80_40_MAAS_TUNNEL_AUTOUPDATE
HOTFIX_GOT_TPCONF_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
HOTFIX_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE

FW1 build number:
This is Check Point's software version R81.20 - Build 039
kernel: R81.20 - Build 001
[SecurePlatform]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
HOTFIX_ENDER_V17_AUTOUPDATE
[CPinfo]
No hotfixes..
[PPACK]
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
[AutoUpdater]
HOTFIX_INFRA_CONFIG_AUTOUPDATE
[DIAG]
No hotfixes..
[CVPN]
HOTFIX_ESOD_SWS_AUTOUPDATE
HOTFIX_ESOD_SCANNER_AUTOUPDATE
HOTFIX_ESOD_CSHELL_AUTOUPDATE
HOTFIX_R81_20_JUMBO_HF_MAIN Take: 89
[CPUpdates]
BUNDLE_INEXT_NANO_EGG_AUTOUPDATE Take: 13
BUNDLE_R81_20_JHF_T54_BLOCK_PORTAL_MAIN Take: 2
BUNDLE_INFRA_CONFIG_AUTOUPDATE Take: 5
BUNDLE_CPOTLPAGENT_AUTOUPDATE Take: 50
BUNDLE_QUID_AUTOUPDATE Take: 14
BUNDLE_R80_40_MAAS_TUNNEL_AUTOUPDATE Take: 60
BUNDLE_CORE_FILE_UPLOADER_AUTOUPDATE Take: 23
BUNDLE_GOT_TPCONF_AUTOUPDATE Take: 128
BUNDLE_ESOD_SWS_AUTOUPDATE Take: 14
BUNDLE_ESOD_SCANNER_AUTOUPDATE Take: 10
BUNDLE_GENERAL_AUTOUPDATE Take: 21
BUNDLE_INFRA_AUTOUPDATE Take: 67
BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 27
BUNDLE_ESOD_CSHELL_AUTOUPDATE Take: 20
BUNDLE_ENDER_V17_AUTOUPDATE Take: 26
BUNDLE_CPVIEWEXPORTER_AUTOUPDATE Take: 40
BUNDLE_CPOTELCOL_AUTOUPDATE Take: 129
BUNDLE_R81_20_JUMBO_HF_MAIN Take: 89
BUNDLE_PUBLIC_CLOUD_CA_BUNDLE_AUTOUPDATE Take: 21
BUNDLE_HCP_AUTOUPDATE Take: 76
BUNDLE_CPSDC_AUTOUPDATE Take: 34
[cpsdc_wrapper]
HOTFIX_CPSDC_AUTOUPDATE
[hcp_wrapper]
HOTFIX_HCP_AUTOUPDATE
[CPDepInst]
No hotfixes..
[CPotelcol]
HOTFIX_OTLP_GA
[CPviewExporter]
HOTFIX_OTLP_GA
[core_uploader]
HOTFIX_CHARON_HF
[CPquid]
HOTFIX_QUID_AUTOUPDATE
[CPotlpAgent]
HOTFIX_OTLP_GA

I changed my configuration to the one recommended by @Timothy_Hall

Now uploading is better - up to 100MB/s but downloading from 3MB/s to 30Mb/s - sine wave

but from another place it is much better - about 50MB

Lesley · ‎2024-11-27

Would recommend to change the md5 to something more secure and performing

-------
If you like this post please give a thumbs up(kudo)! 🙂

the_rock · ‎2024-11-26

I would refer to below sk.

Andy

https://support.checkpoint.com/results/sk/sk73980

Timothy_Hall · ‎2024-11-26

Almost certainly a sub-1500 MTU somewhere in your network path between the peers, see:

sk98074: MTU and Fragmentation Issues in IPsec VPN

Command tracepath run from one peer to the other can be used to confirm a low MTU is present.

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2

Tomas3miasto · ‎2024-11-27

I did tracepath but i got no reply from all hops

tracepath 10.2.0.240
1?: [LOCALHOST] pmtu 1500
1: no reply
2: no reply
3: no reply
4: no reply
5: no reply
6: no reply
7: no reply
8: no reply
9: no reply
10: no reply
11: no reply
12: no reply
13: no reply
14: no reply
15: no reply
16: no reply
17: no reply
18: no reply
19: no reply
20: no reply
21: no reply
22: no reply
23: no reply
24: no reply
25: no reply
26: no reply
27: no reply
28: no reply
29: no reply
30: no reply
31: no reply
Too many hops: pmtu 1500
Resume: pmtu 1500

the_rock · ‎2024-11-28

Can you please list all the things you tried so far, so we can at least eliminate those as being possibilities for this issue?

Andy

Tomas3miasto · ‎2024-12-01

Hi

I checked at first netstat -ni and found Rx dropped and RX overruns on eth1 and eth5

Zrzut ekranu 2024-12-02 080250.png

I increased rx-ringsize first to 2048 and then to 4096.

Now there are no drops but it did not helped

second - I run fwaccel stats -s

Zrzut ekranu 2024-12-02 081538.png

I tried to reduce the F2F traffic - now there is about 12%

third - I disabled almost all blades.

fourth - Changed encryption settings

fifth - increased /decreased MTU ( try 1410,1480, 9000)

I also checked sk165853 but it looks ok

I also use this manual - sk61221 - Issues requiring adjustment of the Maximum Segment Size (MSS) of TCP SYN and TCP SYN-ACK p...

Now

fw_clamp_tcp_mss=1

no improvement in sight or only upload

I decided to order an MTR test between these two sites from ISP

Tomek

Lesley · ‎2024-12-02

Good to see you take the advise serious.

one question for this site to site you have 2 gateways right? Are both in control by you? If not maybe the other gateway needs to be checked.

-------
If you like this post please give a thumbs up(kudo)! 🙂

Tomas3miasto · ‎2024-12-02

Hi Lesley.

Yes, I will check the gateway on the second site today or tomorrow evening

Lesley · ‎2024-12-02

Let’s see what is outcome from that gateway maybe that is the (new) bottleneck

-------
If you like this post please give a thumbs up(kudo)! 🙂

the_rock · ‎2024-12-02

So is it any better now after all those changes or more less the same?

Andy

Tomas3miasto · ‎2024-12-02

Hi Andy

Download more less the same but upload to Sweden is better

Tomas3miasto · ‎2024-11-27

Hi i run tracepath but I got no reply from all hops

Too many hoops: pmtu 1500

Resume: pmtu 1500

the_rock · ‎2024-11-27

Is it different if you change mtu size to something else?

Andy

the_rock · ‎2024-11-27

@Tomas3miasto Here is something to consider though when changing MTU. So, as Im sure you might be aware, smaller MTU size means more smaller packats, but bigger mtu size means less amount of bigger packets.

In general, a larger MTU size is better because it reduces overhead and improves throughput. However, there are some cases where a smaller MTU size is better, such as for high speed interfaces.

Andy

ishuyell · ‎2024-11-27

You can also check sk165853 if this applies.

Are you a member of CheckMates?

Slow download site-to-site VPN