Raj Khatri

IPsec to Zscaler

Discussion created by Raj Khatri on Oct 5, 2017
Latest reply on Oct 9, 2017 by Timothy Hall

We have many 1100 and 1400 model firewalls that we have migrated over to Zscaler using IPsec VPN to send outbound internet traffic through the Zscaler datacenter for filtering.  We are running only FW and VPN blades.  The VPN is up and running, however, we are noticing very slow performance in speeds and file downloads.  We have an open case with TAC and not getting far after taking kernel debugs, fw monitor & packet captures.  When bypassing the VPN by using an explicit proxy or going through firewall directly, speeds are very fast.  I wouldn't expect 1/5 of the allocated circuit speed when going through the VPN tunnel.  Packet captures show MSS values without tunnel is 1460 and via tunnel is 1360 and seeing very small window size value via tunnel.

 

We have modified the following files without any improvement:

 

$FWDIR/modules/fwkern.conf
fw_clamp_vpn_mss=1
 
$FWDIR/modules/simkern.conf
sim_clamp_vpn_mss=1
sim_ipsec_dont_fragment=1

 

We have GRE tunnels working without any problem on our Cisco routers, but Checkpoint doesn't support GRE.  We have optimized the MTU and MSS values for the tunnel and speeds are great.  Unfortunately, you cannot modify these values for a VPN tunnel on a Checkpoint firewall. 

 

Any insight into a fix or solution would be appreciated.  We are running R80.10 management server.  Thanks

Outcomes