cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

MX67 poor performance?

Highlighted
New here

MX67 poor performance?

Hi!

 

I've got a customer with a series of MX65 and one MX67. They are experiencing poor vpn s-2-s performance to a thirdparty vpn concentrator. We started troubleshooting by doing standard online speedtests and could find no problems. With iPerf (and Windows file transfers) we get very slow performance, around 20-30 Mbit/s when we are expecting close to 100 Mbit/s on the vpn (ISP link is capable of 250 Mbit/s). 

 

When using iperf to an external server over tcp with standard settings we get a peak of around 50 Mbit/s and if I use parallell streams I immediately get the expected performance (if I use enough streams to fill the Internet link, at least 5 streams).

 

Connecting the client outside the MX67 gets the expected results, (around 250 Mbit/s on one stream).

 

Has anyone else seen this kind of behaviour?

 

I have also tested with another MX67 in our office and come up with similar differences between inside and outside. Here at our office we have 1 Gbit/s and the MX67 has a throughput on speedtest of 450 Mbit/s but iPerf only reaches 50 Mbit/s on one stream. Using 16 parallell streams will reach 450 Mbit/s.

11 REPLIES 11
Kind of a big deal

Re: MX67 poor performance?

What version firmware is the MX67 running?

 

I can test this when I get home on mine, but you might want to open up a case with support in the meantime, as this is a relatively new model and it might be some sort of software limiter/bug.

Nolan Herring | nolanwifi.com
TwitterLinkedIn
Highlighted
A model citizen

Re: MX67 poor performance?

I agree with @NolanHerring. Also have you reviewed the VPN status page under "Security appliance > Monitor > VPN status"? I would be curious to how the usage graph on that page may compare to your observations.

Highlighted
Kind of a big deal

Re: MX67 poor performance?

We don't test with iPerf, so I can't comment on that. But with Breaking Point we're pushing just over 200Mbps on an Enterprise license, and about 175Mbps with an Advanced license through a VPN on an MX67 running 14.34.

Highlighted
New here

Re: MX67 poor performance?


@jdsilva wrote:

We don't test with iPerf, so I can't comment on that. But with Breaking Point we're pushing just over 200Mbps on an Enterprise license, and about 175Mbps with an Advanced license through a VPN on an MX67 running 14.34.


Do you run that vpn to another Meraki mx? My customer runs the vpn to a Sophos FW, but that one pushes 3-400 Mbit through other tunnels when tested...

Highlighted
Kind of a big deal

Re: MX67 poor performance?

Yup. The other end of that tunnel would be an MX450. 

 

Interesting... We don't test Non-Meraki VPN. I wonder if there's something there?

Highlighted
New here

Re: MX67 poor performance?

I see the same issue outside a vpn tunnel as well. Just running iPerf on the inside of the MX67 accessing a server that sits on 1 Gbit/s Internet cuts performance per stream from 600 Mbits/s down to 50 Mbits/s.
Highlighted
Kind of a big deal

Re: MX67 poor performance?

MX units typically get poor performance with DES and 3DES. Make sure you have selected AES type algorithms.

Highlighted
New here

Re: MX67 poor performance?


@PhilipDAth wrote:

MX units typically get poor performance with DES and 3DES. Make sure you have selected AES type algorithms.


Thanks for the tip! During testing I have found that vpn is not the only issue anymore. We get really poor performance through the MX67 for a lot of things but not online speedtests 🙂

Highlighted
New here

Re: MX67 poor performance?

It's consistent with the other values.

Highlighted
New here

Re: MX67 poor performance?

Tested on 14.32, 14.34 and 15.10. same results. Also verified with an MX64 and an MX65. None of them share the same issue. They give full speed to just one stream with iPerf.

Highlighted
Kind of a big deal
Kind of a big deal

Re: MX67 poor performance?

try use udp with a high buffer.   -u -w 256.0M

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.