Meraki Community

Mister_245 · ‎Oct 29 2018

Hi!

I've got a customer with a series of MX65 and one MX67. They are experiencing poor vpn s-2-s performance to a thirdparty vpn concentrator. We started troubleshooting by doing standard online speedtests and could find no problems. With iPerf (and Windows file transfers) we get very slow performance, around 20-30 Mbit/s when we are expecting close to 100 Mbit/s on the vpn (ISP link is capable of 250 Mbit/s).

When using iperf to an external server over tcp with standard settings we get a peak of around 50 Mbit/s and if I use parallell streams I immediately get the expected performance (if I use enough streams to fill the Internet link, at least 5 streams).

Connecting the client outside the MX67 gets the expected results, (around 250 Mbit/s on one stream).

Has anyone else seen this kind of behaviour?

I have also tested with another MX67 in our office and come up with similar differences between inside and outside. Here at our office we have 1 Gbit/s and the MX67 has a throughput on speedtest of 450 Mbit/s but iPerf only reaches 50 Mbit/s on one stream. Using 16 parallell streams will reach 450 Mbit/s.

NolanHerring · ‎Oct 29 2018

What version firmware is the MX67 running?

I can test this when I get home on mine, but you might want to open up a case with support in the meantime, as this is a relatively new model and it might be some sort of software limiter/bug.

Nolan Herring | nolanwifi.com

MacuserJim · ‎Oct 29 2018

I agree with @NolanHerring. Also have you reviewed the VPN status page under "Security appliance > Monitor > VPN status"? I would be curious to how the usage graph on that page may compare to your observations.

jdsilva · ‎Oct 29 2018

We don't test with iPerf, so I can't comment on that. But with Breaking Point we're pushing just over 200Mbps on an Enterprise license, and about 175Mbps with an Advanced license through a VPN on an MX67 running 14.34.

http://blog.brokennetwork.ca |

@jdsilva

Mister_245 · ‎Oct 29 2018

@jdsilva wrote:
We don't test with iPerf, so I can't comment on that. But with Breaking Point we're pushing just over 200Mbps on an Enterprise license, and about 175Mbps with an Advanced license through a VPN on an MX67 running 14.34.

Do you run that vpn to another Meraki mx? My customer runs the vpn to a Sophos FW, but that one pushes 3-400 Mbit through other tunnels when tested...

jdsilva · ‎Oct 29 2018

Yup. The other end of that tunnel would be an MX450.

Interesting... We don't test Non-Meraki VPN. I wonder if there's something there?

http://blog.brokennetwork.ca |

@jdsilva

Mister_245 · ‎Oct 29 2018

I see the same issue outside a vpn tunnel as well. Just running iPerf on the inside of the MX67 accessing a server that sits on 1 Gbit/s Internet cuts performance per stream from 600 Mbits/s down to 50 Mbits/s.

PhilipDAth · ‎Oct 29 2018

MX units typically get poor performance with DES and 3DES. Make sure you have selected AES type algorithms.

Mister_245 · ‎Oct 29 2018

@PhilipDAth wrote:
MX units typically get poor performance with DES and 3DES. Make sure you have selected AES type algorithms.

Thanks for the tip! During testing I have found that vpn is not the only issue anymore. We get really poor performance through the MX67 for a lot of things but not online speedtests 🙂

Mister_245 · ‎Oct 29 2018

It's consistent with the other values.

Mister_245 · ‎Oct 29 2018

Tested on 14.32, 14.34 and 15.10. same results. Also verified with an MX64 and an MX65. None of them share the same issue. They give full speed to just one stream with iPerf.

ww · ‎Oct 29 2018

try use udp with a high buffer. -u -w 256.0M

Meraki Community

MX67 poor performance?

MX67 poor performance?