I've got a customer with a series of MX65 and one MX67. They are experiencing poor vpn s-2-s performance to a thirdparty vpn concentrator. We started troubleshooting by doing standard online speedtests and could find no problems. With iPerf (and Windows file transfers) we get very slow performance, around 20-30 Mbit/s when we are expecting close to 100 Mbit/s on the vpn (ISP link is capable of 250 Mbit/s).
When using iperf to an external server over tcp with standard settings we get a peak of around 50 Mbit/s and if I use parallell streams I immediately get the expected performance (if I use enough streams to fill the Internet link, at least 5 streams).
Connecting the client outside the MX67 gets the expected results, (around 250 Mbit/s on one stream).
Has anyone else seen this kind of behaviour?
I have also tested with another MX67 in our office and come up with similar differences between inside and outside. Here at our office we have 1 Gbit/s and the MX67 has a throughput on speedtest of 450 Mbit/s but iPerf only reaches 50 Mbit/s on one stream. Using 16 parallell streams will reach 450 Mbit/s.
What version firmware is the MX67 running?
I can test this when I get home on mine, but you might want to open up a case with support in the meantime, as this is a relatively new model and it might be some sort of software limiter/bug.
I agree with @NolanHerring. Also have you reviewed the VPN status page under "Security appliance > Monitor > VPN status"? I would be curious to how the usage graph on that page may compare to your observations.
Tested on 14.32, 14.34 and 15.10. same results. Also verified with an MX64 and an MX65. None of them share the same issue. They give full speed to just one stream with iPerf.
We don't test with iPerf, so I can't comment on that. But with Breaking Point we're pushing just over 200Mbps on an Enterprise license, and about 175Mbps with an Advanced license through a VPN on an MX67 running 14.34.
Do you run that vpn to another Meraki mx? My customer runs the vpn to a Sophos FW, but that one pushes 3-400 Mbit through other tunnels when tested...
MX units typically get poor performance with DES and 3DES. Make sure you have selected AES type algorithms.
Thanks for the tip! During testing I have found that vpn is not the only issue anymore. We get really poor performance through the MX67 for a lot of things but not online speedtests 🙂