I am troubleshooting issues with slow client VPN (300kb!) and site to site VPN (1-4 mbps) speeds.
WAN 1 is our Internet connection.
Port 2 on the firewall feeds a distribution switch.
In SDWAN & Traffic Shaping > Uplink Selection, the primary uplink is set to WAN2.
But Appliance Status > Uplink does not show that WAN2 was configured - though it does have a button "Convert port 2 to primary WAN". Also, the WAN is listed as "Ready", not Active.
There is no internal documentation, I have no idea why it was set up like this.
From what I have read, with this configuration all Internet traffic will be trying to exit from port 2 - which is not an internet connection, so it will then fail over to WAN 1?
Is this a misconfig, or am I missing something?
Would I be correct to change the Primary uplink to WAN 1 and disable Active-Active Auto VPN?
Will changing the Primary uplink to WAN 1 disrupt outgoing Internet traffic, or will users not even notice?
Are you using L2TP or Anyconnect?
Are you using split tunnel?
We are using L2TP and split tunnel.
Try disabling the split tunnel.
Thank you, I will test that this afternoon.
Since we do not have a WAN 2 - should I also change the Primary uplink to WAN 1?
Yep
Disabling the split tunnel did not help.
For your environment yes I would change the Primary uplink setting to say WAN 1 as you're not using/don't have a WAN2 even configured. That might resolve the ready vs. active issue. I've never tried a config like you have so I'm not sure if it produces that UI anomaly. I see some (maybe all) spokes also are configured like this. So you probably want to fix them all.
The active/active AutoVPN piece shouldn't really matter as you don't have more than 1 WAN. You could set it to disable if you want, but it shouldn't be having any effect anyway.
From this MX (and downstream APs) the cloud speedtests are showing me 170+Mbps. So, it doesn't appear you have a general WAN link issue.
For the site to site speed issues. I see the MX mentioned is the hub and there are 24 peers. At which locations are you seeing speed issues? All, some?
Thank you Ryan!
Updating the Primary uplink changed the WAN 1 status to "Active".
I have also updated the Primary uplink on our remote firewalls.
For the site to site - I've tested 6 sites, the rest we received reports of slowness.
I stopped testing because downloading and uploading the same file yielded the same results on all 6 - hub>peer=2mb average, and peer>hub=1mb average.
I ran a test last night having PDQ push the same file to various machines over the site to site VPN.
Sending to 1 machine, it was a 2mb speed.
2 machines was about a 1mb speed.
4 machines was just under 500kb speed.
If I deploy the same file to 4 local machines, speed is 7-8mbps each.
Is it possible the site to site VPN is only allowing 2mb of bandwidth?
What do you have on this screen:
And lower down on the same page, what do you have here?
Uplink Config
And the rest of it...
With regard to Windows and L2TP - there is a known Microsoft bug at the moment that significantly affects performance. It came out in an update around (maybe) early June. It has been noted by many that installing WireShark (and doing nothing else) resolves the issue.
I have seen a lot of customers instead migrate to AnyConnect, as this is not the first time Microsoft has damaged the client VPN with updates. AnyConnect also has additional functionality, like being able to authenticate against Office 365.
https://documentation.meraki.com/MX/Client_VPN/AnyConnect_on_the_MX_Appliance
Thank you for the tip about MS being the cause! I will try the WireShark workaround as a temp fix.
I had started looking at AnyConnect earlier in the year, getting a quote for licenses now.
Can you measure the performance using iPerf between two sites? It might be that you don't have a network issue, but an SMB tuning issue.
https://iperf.fr/iperf-download.php
Also, is the firmware running a stable (or better) release?
I downloaded iPerf and will work on testing tonight,
Our hub is an MX100, and the spokes are MX64/ 67.
All are up to date, running FW 18.107.2.