I have a small retail customer with a main retail store and 5 branch retail stores. The main site has a 200 mbps symmetrical fiber internet service (1 gbps fiber with a 200 mbps shaper configured on the premise ISP internet router and ISP edge routers) installed in June 2018. Also at this time, Meraki MX65W firewalls were connected to the main site and the remote stores. All MX65Ws have the Enterprise License, no Advanced Features enabled.
The remote sites have fiber internet connections through the same internet carrier and are in the same geographic region (with 100 miles range). Remote stores have 20 to 50 mbps symmetric speeds. Remote stores have site to site vpn tunnels back to the main store, to carry Point of Sales Terminal info and Security camera DVR backup video feeds to DVRs located at the main store. The HD Security Camera Feeds from the remotes to the Main Site baselines about 70 mpbs of traffic 24x7 over the 5 vpn tunnels into the Main Site MX65W.
This has been working well for about 8 months, but last month the customer started noticing their dowloads seemed slower, and ran speed tests through the Meraki. Downloads performed from PCs on the LAN switch or plugged directly into the MX65W switchports are running 25-50 mbps while the VPN tunnels are running the Video Cam traffic (70mbps in the background) for a total throughput of about 120-130 mpbs through the MX65W during the PC speed test.
With the same laptop (having a Public IP) directly connected to the ISP Internet router onsite and the MX65W disconnected, Up/Down speeds are 197 mbps. I did ping tests with do not fragment flag enabled, and MTU size appears to be 1280 over the ISP link to different locations. I have verified good ethernet cables and no speed/duplex mismatches between devices. I upgrade the firmware to the latest 14.x code a week ago with no improvement.
Wondered if it may be a MTU issue between the Meraki MX65W and the Adtran 5660 Internet router from the ISP.
I opened a support case with Meraki about that possibility, and they have not replied to the question.
The MX65W was rated at 250 mbps throughput and 100 mbps VPN tunnel. I assumed that meant that only the VPN tunnel traffic throughput was limited to a max of 100mbps. There are only about 5 office personnel that work at the main site, and a few retail floor employees at the main store. 95 percent of the bandwidth used is for the Security camera feeds.
7 h
Should the customer look to go to a larger model MX at the main site. I see that the MX67 is rated at 200 mbps VPN versus the MX65's 100. The MX84 price is much higher with only about a 25 percent performance rating versus a MX67.
Solved! Go to solution.
The CPU gets carved up between different things. If you are driving the CPU hard with crypto doing 100Mb/s of traffic it wont leave a lot of CPU available for other things. I think you are going to need some bigger hardware ...
Some options:
* Replace the MX65W with an MX68W. It has significantly more punch. This is the nicest solution. A nice simple design.
* Installed an additional MX67 at HQ (it will have to go into its own seperate network) and put it into VPN concentrator mode. Configure this to terminate all the AutoVPNs leaving the main MX65W just doing Internet and WiFi (so disable AutoVPN on the original MX65W at HQ). This is the cheapest solution.
That 100Mbps VPN throughput will be total throughput not 100Mbps per VPN connection so if you have 5 sites they will get roughly 20Mbps each.
Note I skim read your query so if I have got this totally wrong please ignore my response.
The camera feeds run about 8 - 12 mbps per site, dependent on the number of sercurity cams at each store. I figured a total throughput of 100 mbps of vpn encryption, but my question is could we have a 70 mbps of vpn, and still have up to 120 mbps of non vpn internet traffic dowloaded. And there is minimal traffic being encrypted and sent to the remotes over the vpn tunnel. Total throughput up and down is max out around 120-130 mbps when i look at the appliance uplink status during speed tests to a few. Even the carriers speed test site located in the Central Office as the Internet Edge router. I work for their ISP installing and troubleshooting CPE. Meraki product line is new for our area, but been doing Cisco and Adtran equipment for 20 years.
Go to:
Organization/Summary Report
Select just HQ network.
Scroll to the very bottom to device utilisation. How heavily utilised is it?
I was wondering where the CPU utilization chart was.. It appears to be overworked 🙂
The CPU gets carved up between different things. If you are driving the CPU hard with crypto doing 100Mb/s of traffic it wont leave a lot of CPU available for other things. I think you are going to need some bigger hardware ...
Some options:
* Replace the MX65W with an MX68W. It has significantly more punch. This is the nicest solution. A nice simple design.
* Installed an additional MX67 at HQ (it will have to go into its own seperate network) and put it into VPN concentrator mode. Configure this to terminate all the AutoVPNs leaving the main MX65W just doing Internet and WiFi (so disable AutoVPN on the original MX65W at HQ). This is the cheapest solution.
I like the idea of splitting the load, with one MX doing the VPN tunnels, and the other the NAT/WiFi.
The other remotes CPU usage is in the 20 - 35 percent range. VPN bandwidth varies from 8mbps (20 percent CPU) to 16 mbps (35 percent).
>I was wondering where the CPU utilization chart was.. It appears to be overworked
Well at least we know, the unit is maxed out.