Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
jakmic
Participant

Endpoint Security VPN network performance

Hello,

We have problem with data transfer performance via VPN in our lab environment.

Topology:

Cluster of 2 VM Gateways

Windows VPN client 

MacOS ssh server

 

When we are transferring data over LAN (between two networks) speed of 3GB file transfer is some about 200Mbps

When we are transferring data over VPN speed of 3GB file transfer is some about 20Mbps (WinSCP)

Lab environment hasn't any performance problems (CPU of active gateway is about 5%)

WAN network is 1Gbps/1Gbps on every site.

 

ESP: AES-256 + SHA256 (we tried lower security algorithms, but nothing changes)

Scheme: IKE

How can we increase VPN network performance 

0 Kudos
13 Replies
Ruan_Kotze
Advisor

There's a couple of unknowns here - but sk105119  would be your best starting point. 

Also make sure AES-NI is enabled on the processor level (since you're running OpenServer / VM) otherwise AES-256 will not be accelerated.

Thanks,
Ruan

0 Kudos
jakmic
Participant

I neet to check, because VM is running on our Data Center solution - For now, I don't know hardware specification on backend

0 Kudos
jakmic
Participant

Yes, there is AES flag recognized by Checkpoint VM

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Which client version are you using E86.60 or higher?

(Client side AES-NI support was introduced here)

CCSM R77/R80/ELITE
0 Kudos
jakmic
Participant

E86.50

0 Kudos
PhoneBoy
Admin
Admin

What version of gateway?
Cores/memory allocation for the VM?
R81.20 might have better performance in this regard due to some internal changes.

0 Kudos
jakmic
Participant

2 Cores, Memory 4GB

R81.10 JB Take 87

0 Kudos
AndreiR
Employee
Employee

Hi @jakmic ,

Take the latest version E87.20. It has multiple improvements comparing to E86.50:

  1. It has AES-NI support on client side
  2. It has new and improved VPN driver
  3. It has experimental flag which may also help:
    In the registry set the following value:
    [HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\CheckPoint\TRAC]
    "disable_threaded_ipsec"=dword:00000000

Besides that make sure logging level in the client is set to Basic. Extended mode significantly consumes performance.

I'm not sure 2 Cores + 4Gb RAM is sufficient for R81.10 gateway. Which hardware do you use for VPN client? There more powerful device you use for testing the higher performance you should get.

PhoneBoy
Admin
Admin

Those are bare minimum system requirements for a gateway.
You'll definitely want to allocate additional cores and RAM if performance is a concern.

0 Kudos
jakmic
Participant

For Test environment and one VPN user I think is enough 🙂

I went by your proposition and check load on gateway and client computer

During transfer GW had some about 64% in peaks and average 20% , but our client site had 100% (i5-5300U)

On newer Endpoint VPN Client (E87.20) we received 50% faster transfer (30-35Mbps) so @AndreiR thank you 🙂

We took newer client hardware (i7-12700H) and tried again - now transfers are optimistic - some about 320Mbps (10x more) - CPU load about 20-23% during transfer

Now I have a question, there is any solution to optimize client Endpoint Security VPN on older hardware?

From another side, when you go to https://www.checkpoint.com/quantum/remote-access-vpn/#downloads (look like main point to download client) you will receive older version (E86.50_CheckPointVPN.msi)

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Trying different encryption algorithms might be at the expense of security.

I've asked internally for the website links sighted above to be updated.

 

CCSM R77/R80/ELITE
0 Kudos
PhoneBoy
Admin
Admin

The E87.xx releases do not have a "recommended" release yet, which is probably why it's not linked directly from checkpoint.com

0 Kudos
PhoneBoy
Admin
Admin

In terms of optimizing performance on older computers, there's not much that can be done at this time.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events