Meraki

Community

Meraki AutoVPN discrepancy between two sites

MishMash
Comes here often
Tuesday
Tuesday

Meraki AutoVPN discrepancy between two sites

Hi All,

 

I have a case open with Meraki support, but until now they have been unable to give me or our customer an answer.

 

Let me sketch you the setup:

 

- 2 locations

- Both locations are connected via the same ISP with a 1 Gbit/s Fiber connection

- Both locations have a Meraki MX95 HA setup running 18.211.5.1

- Both locations have a Meraki MS225 stack behind the firewalls

- Both locations have a Cisco C1000 series router in front of the Meraki MX. This is because the ISP is using PPPoe.

 

I have done a ping test as well as a traceroute outside of business hours. 

 

Ping Site A to Site B: 7ms, 0% loss

Ping Site B to site a: 7ms, 0% loss

 

Traceroute between sites: 5 hops

 

Our customer has been complaining about the Meraki AutoVPN performance.

 

For testing, i have placed a raspberry Pi 5 at each location, connected to the core switches. With these Pi's, i can do iPerf3 tests.

 

When testing between the Pi's via NAT rules, I get the following performance:

 

MishMash_0-1743531833511.png

 

Both ways the throughput is around 888Mbit/s, which is fine.

 

However, when we try to do it via AutoVPN, things change...

 

MishMash_2-1743532041361.png

 

As you can see, there is a discrepancy of about 100Mbit/s between sending or receiving...

 

Neither me, my colleagues or Meraki support can explain this behavior. I've gone through the entire configuration multiple times, but i'm stuck.

 

The last message from Meraki support was: 

But my guess would be related to latency. Both locations with fairly low latency, according to formula the maximum throughput of a TCP connection = window size / latency. So 1ms of latency difference here during the test might cause big difference for the result.

 

Any ideas? Anything is welcome at this point...

 

Can anyone help me figure this one out?

 

Labels:
0 Kudos
5 Replies 5
alemabrahao
Kind of a big deal
Tuesday
Tuesday

Have you tried troubleshooting MTU?

https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Troubleshooting_MT...

 

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
0 Kudos
KH
Meraki Employee All-Star Meraki Employee All-Star
Meraki Employee All-Star
Tuesday
Tuesday

AutoVPN is going to add up to 69 Bytes of overhead to the packet so this may very well just be expected behavior here while the MX fragments the packets. What if you try setting the client MTU on the raspberry PI to 1400?

If you found this post helpful, please give it kudos. If my answer solved your problem, click "accept as solution" so that others can benefit from it
In response to KH
RaphaelL
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

You have a good point. However the MX is already going to clamp the MSS. I'm more concerned about PPPoE. The MX has no idea that the WAN links are using PPPoE. If the OP could perform a packet capture on the S2S interface pretty sure the MSS will be MTU-68bytes and not MTU-68-8(PPPoE).

0 Kudos
MishMash
Comes here often
Tuesday
Tuesday

Hi all,

 

Thanks for the suggestions so far! We have been looking at the MTU sizing and trying different settings, but that didn't do much.

 

@RaphaelL you mentioned the PPPoe. I did think of that as well, but then i should see the same results on both sites.

 

For reference, the WAN interface of the Meraki MX is set to a MTU of 1500 on both sites. The Dialer interface on the router has a MTU of 1492. I have not configured MSS clamping on the router.

0 Kudos
In response to MishMash
RaphaelL
Kind of a big deal
Kind of a big deal
yesterday
yesterday

Do you mind taking a packet capture on the VPN Site-To-Site interface and just printing the TCP handshake here ?

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.