This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KomisarzRyba
Contributor
‎2025-05-22 04:17 AM

Slow network performance via VPN.

Hello overyone,

I'm looking for a tool or way to diagnose slow network performance via VPN. 
I have 2 gateways connected by VPN S2S. The problem is the long file download times between locations. Files from the Internet are downloaded quickly, so it's probably a VPN problem.

Any ideas? Thanks in advance for your advice.

BR

Labels
0 Kudos
5 Replies
Henrik_J
Contributor
‎2025-05-22 05:05 AM

What encryption are you using in phase 2?

Check Point appliances work better with AES due to AES NI CPU Instruction set with the Intel CPUs.

So if you are using 3DES (for whaever reason), change to AES128 at the very least.

Maybe there are other blades being applied to this traffic as well.
If I ever suspect that DPI may be the issue, try fast accelerating it to see if this alleviates the issues (on both FWs).
https://support.checkpoint.com/results/sk/sk156672

This is only to check if it's a VPN or DPI performance issue, it's up to you to keep this permanent or not.
Fast_acceleration disables all form of security blades (except firewall), so not recommended generally unless the traffic is 100 % trusted.

What are the "download protocols" ?
I assume it's HTTPS from the internet, but maybe it's CIFS / SMB over the tunnel?
Different blades with varying performance impact may be applied depending on the protocol.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-05-22 05:35 AM

Generally this is due to the use of slow VPN algorithms, or a low MTU between the two VPN peers.  Here are the relevant pages from my Gateway Performance Optimization Course that you should find helpful:

vpnperf1.pngvpnperf2.pngvpnperf3.pngvpnperf4.pngvpnperf5.pngvpnperf6.png

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
KomisarzRyba
Contributor
‎2025-05-23 12:47 AM
In response to Timothy_Hall

Thank you very much for your tips.
The encryption in my VPN community looks like this:
- phase 1 
Encryption Algorithm: aes-128
Data Integrity: sha256

-phase 2
Encryption Algorithm: aes-gcm-128
Data Integrity: sha1

What do you think should be changed? In phase 2 Encryption Algorithm on aes-128? And Data Integrity on sha256?
Will changing encryption break VPN connections?

BR

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2025-05-23 05:50 AM
In response to KomisarzRyba

Your algorithm selection is fine, probably a low MTU issue.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2025-05-22 06:06 AM

I agree with the guys, seen that be an issue before.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events