Meraki

Community

Bad throughput on Non-Meraki Site-Site VPN

LRH
Here to help
‎Mar 27 2018 9:52 AM
‎Mar 27 2018 9:52 AM

Bad throughput on Non-Meraki Site-Site VPN

I have had a non-meraki site-site vpn tunnel that worked great...until I loaded 14.24.

 

After installation of 14.24 the throughput went from 2.2mbs to 0.4mbs.

 

Nothing else changed other than the firmware update.

 

I did downgrade to 13.28...problem has stayed.....I even had support upgrade back to 14.23 (last known good) and that didn't work either.

 

Has anyone else had throughput issues with non-meraki tunnels recently?

0 Kudos
7 Replies 7
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 27 2018 11:37 AM
‎Mar 27 2018 11:37 AM

I haven't had issues, but there are some things you can try on a Windows client on one end:

 

Perhaps you are having asymmetric timing issues, often caused by an asymmetric circuit (such as ADSL), try:

netsh int tcp set global timestamps=enable

 

Perhaps you are now experiencing an MTU squeeze.  Locate your current interface with:

netsh interface ipv4 show subinterface

 

Then run this command to change the MTU (change "Local Area Connection" to the adaptor name above):

netsh interface ipv4 set subinterface “Local Area Connection” mtu=1400

If this works then make the change permanent with:

netsh interface ipv4 set subinterface “Local Area Connection” mtu=1400 store=persistent

0 Kudos
In response to PhilipDAth
LRH
Here to help
‎Mar 27 2018 12:24 PM
‎Mar 27 2018 12:24 PM

That's the thing....I changed that tunnel to my ASA instead of the Meraki and the throughput immediately came back.  No other changes we made on the server.

0 Kudos
In response to LRH
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 27 2018 12:27 PM
‎Mar 27 2018 12:27 PM

ASA's usually have an MSS adjust configured on them, which mitigates MTU squeezes.

 

Perhaps try the MTU test and see what impact it has - if any.

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 27 2018 12:28 PM
‎Mar 27 2018 12:28 PM

I just remembered something important.

 

The MX line have terrible 3DES throughput.  Make sure you are using AES.

0 Kudos
In response to PhilipDAth
LRH
Here to help
‎Mar 27 2018 1:16 PM
‎Mar 27 2018 1:16 PM

Changing to AES now...and testing again....

0 Kudos
In response to LRH
LRH
Here to help
‎Mar 27 2018 1:29 PM
‎Mar 27 2018 1:29 PM

AES fixed it....now I am going back to make sure ALL of my non-meraki peers are set to AES.

 

Thanks for the help.

 

Not really sure why support didn't tell me that??

0 Kudos
In response to LRH
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Mar 27 2018 1:30 PM
‎Mar 27 2018 1:30 PM

It is not a well known issue.  That's why it took me so long to remember.

 

ps. Nobody should be using 3DES anymore.  🙂

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.