Extremely slow Site-to-Site VPN

jcolley
Here to help

Extremely slow Site-to-Site VPN

I'm using 2 MX64 security devices for a site to site VPN and I'm getting sub 1 Mb/s speeds.

the internet connections both have 50-20 Mb/s internet connections.

 

They are running version 14.39

 

How can I improve this speed?

Untitled.png

24 REPLIES 24
MarcP
Kind of a big deal

Depends on where/how you use it.

If you are based in Europe or the US for example and this site is in Asia, this is quite normal...

 

Have you got further details?

Both of these devices are located in Perth, Western Australia

MarcP
Kind of a big deal

And VPN Remote peer?

Sorry I'm not sure what you are asking. I'm using the site to site VPN between the 2 devices. It's set to use Meraki cloud to set up the connection

ww
Kind of a big deal
Kind of a big deal

your latency is very high. this also affects tcp performance

MarcP
Kind of a big deal

OK, thought you have both MX´s on one site and connect to your HQ for example 😉

 

So did this start yesterday, or is it like this all the time?

How many users are there? (even asking while seeing, that its low in the night, metining this because of the MX64 hardware))

Maybe the ISP is causing a problem regarding to any settings on their side?

 

I only set this up recently but it has been this way since then.

MarcP
Kind of a big deal

ok, maybe it is just normal for this sites?

 

Can you provide any other informations I asked before?

Maybe also show what you have build there in draw or your VPN settigns?

jdsilva
Kind of a big deal

What firmware version are you running?

As mentioned in the opening question they are both running 14.39
SoCalRacer
Kind of a big deal

You might try disconnecting the VPN. Then check the usage at both sites over a day or so. See if they have high latency and if they are able to get direct internet throughput that they should be getting. This could help you narrow it down to an ISP and or a specific site. Just to check is the ISP the same on both MXs?

Happiman
Building a reputation

@jcolley 

 

I would capture the traffic from the Inside Interface to see the latency.

 

At the beginning of the 3-way TCP handshake, you will see the latency of SYN-ACK packet.

 

You can calculate the real world throughput by

TCP-Windows-Size/Latency = Throughput

 

http://bradhedlund.com/2008/12/19/how-to-calculate-tcp-throughput-for-long-distance-links/

 

image.png

 

Also, if you have 0.4% of packet loss, you will lose 50% of your  throughput.

https://blog.thousandeyes.com/a-very-simple-model-for-tcp-throughput/

cmr
Kind of a big deal
Kind of a big deal

Are the connections symmetrical or are they shared use lines (xDSL, cable etc.) that can have 50Mb download but only 1Mb upload speed?

BlakeRichardson
Kind of a big deal
Kind of a big deal

@jcolley As mentioned your latenacy its extremely high between two local devices. I know that internet over the ditch isn't that great. What type of internet connection do you have, is it fibre or ADSL/VDSL?

both are using NBN one is through Node1 and the other is MATE Communicate

As mentioned in the opening question they have a 50/20 connection. 50 down 20 up
jcolley
Here to help

Here are some screenshots of the setup/status

Does this mean I need to talk to the ISP?

Site 1 StatusSite 1 StatusSite 1 SettingsSite 1 SettingsSite 2 StatusSite 2 StatusSite 2 SettingsSite 2 SettingsSite 1 pinging Site 2 through VPNSite 1 pinging Site 2 through VPN

@jcolley The fact your latency is around 200ms when your are pinging a device in the same city shows there is a serious issue somewhere. 

 

What I would do is ping 8.8.8.8 from each connection and see if either of them has a much higher response time than the other. Pinging 8.8.8.8 from New Zealand I get an avg response time of 43ms

cmr
Kind of a big deal
Kind of a big deal

Site1 looks to be overloaded.  As you have some significant packet loss this will stop you getting near the full throughput.  Do you have up/down stats for site 1


@cmr wrote:

Do you have up/down stats for site 1


How would I get this?

cmr
Kind of a big deal
Kind of a big deal

The easiest way to get up/down statistics is from the switch port that the MX is connected to, if you have an MS simply click on the port and you will see traffic sent/received under the status heading half way down the page.

Happiman
Building a reputation

@jcolley 

 

You add your own Site public IP address to measure the health.

 

image.png

 

Wait an hour or so, you can toggle between the IP addresses.

 

image.png

 

 

So I got it added and here are the results this is Site 2 pinging Site 12019-09-02 13_52_02-Window.png

Happiman
Building a reputation

@jcolley 

 

At this point, I strongly recommend you to use "iPerf3" to measure the WAN performance.

 

download it from here

https://iperf.fr/iperf-download.php

 

 

 

You will need to install the app on both ends.

 

a) Hub : run iperf3 -s

b) Spoke: iperf3 -c  1.1.1.1 -f M -P 4  (your Server IP on Hub Site,format of Mbits, 4 concurrent connections)

 

https://documentation.meraki.com/zGeneral_Administration/Tools_and_Troubleshooting/Troubleshooting_C...

         

You want to change the windows size to improve the throughput. 

 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels