MX84 Client VPN slow throughput

USBIT
Conversationalist

MX84 Client VPN slow throughput

Good morning community!

    We are using a Client VPN, full tunnel (required), using IPSec through an MX84 connected to an MS250.  Recently, "maybe" since the last MS firmware updated in January, we are experiencing VERY slow throughput to our systems while connected to the VPN.  Per our testing, it appears to be about a 70-75% bandwidth degredation while connected.  Users connected with 400Mbps cable connections don't really notice the problem, but remote users on slow DSL connections or cellular hot spots find the VPN functionality almost unuseable.  Please advise if anyone is/has experienced the same, and possibility of retification.  Thanks in advance.

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

The maximum VPN throughput for the MX84 is 250 Mbps.

 

alemabrahao_0-1674843252402.png

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
USBIT
Conversationalist

Thank you for the input.  We are running 100Mbps symmetric fiber to the MX.  Our issue at this point is with our mobile users using a cellular hot spot (or worse, ADSL at home).  In my testing, I get non-VPN connectivity results of 45/7 through my cell hot spot.  When connected to the full tunnel VPN, speedtest results drop to 11/6.  That is a pretty big overhead hit for the VPN :-).  I can understand some overhead, but that much makes our remote users non-functional unless they have some pretty good bandwidth.

PhilipDAth
Kind of a big deal
Kind of a big deal

Asymmetric circuits (like DSL) can cause issues with the default symmetric time calculation system that Windows uses.

 

For an experiment, try enabling timestamps on both a users machine and a server they are accessing:

netsh int tcp set global timestamps=enable 
USBIT
Conversationalist

Thank you for the input.  Would we see that if one side is asymmetric and the other end is symmetric?

PhilipDAth
Kind of a big deal
Kind of a big deal

Yes.  As soon as one side is asymmetric in response time, the whole TCP connection is asymmetric.

 

This may not be the problem - but back when my country use to still have DSL it was a common issue often helped a lot by enabling TCP timestamping.

USBIT
Conversationalist

Well...The first time it seemed to "work" and I received better results.  However, after continued testing (fiber.google.com/speedtest) my jitter while on the client VPN went through the roof.   In some tests, over 1000 😮 with some testing throughput at .7/.7 vs 57/9 while off VPN.  Crazy!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels