Meraki

Community

Meraki VPN - Poor performance

JThomas9999
Conversationalist
a week ago
a week ago

Meraki VPN - Poor performance

We just installed 2 x MX75s on Gigabit Internet connections. Meraki VPN running, Windows server to Windows server file transfers is 3 Megabytes/24 Megabits per second. iperf is also showing about 25 Megabits per second. Internet speed test is 920 - 930 Megabits per second. Reinstalling the old Cisco ISR 4000's the server to server file transfer is over 20 Megabytes/200 Megabits per second. We opened a case with Meraki and they are stumped. Does anyone have any ideas? We really don't wantto have to eat the cost of these devices and lose the good will of the client. 

 

I reached out to Meraki prior to purchase and they said the VPN is supposed to be good for line speed at Gigabit.

Labels:
0 Kudos
7 Replies 7
Mloraditch
Kind of a big deal
a week ago
a week ago

The one thing I can think of that support might not have is @PhilipDAth 's favorite question about MTU. Perhaps try adjusting that.

Has support had you turn off AMP/IPS? Disabled any traffic shaping? Tested on different firmware versions? 19.1.8 if you are on 18.211.x.x or vice versa?

Have you asked support for an escalation?

 

I'd also suggest talking to your sales rep and seeing if they might be able to swing some MX85s for testing just to see if that helps

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
RWelch
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Troubleshooting MTU Issues 

If you found this post helpful, please give it Kudos. If my answer solves your problem please click Accept as Solution so others can benefit from it.
In response to Mloraditch
PhilipDAth
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Haha.  Well done @Mloraditch .  I run into MTU-related performance issues at least every 90 days helping customers.  If you can - always buy Internet connections with a clean 1500 byte MTU to avoid this (such as a connection that uses DHCP or a static IP).

 

@JThomas9999 there is a pretty good chance there is something in the old 4000 config changing the MTU or MSS (if this is the issue).

 

You can test this yourself initially by lowering the MTU on both servers and re-testing.  On each server do something like:

netsh interface ipv4 show subinterface

This will identify all the interfaces.  Choose the one being used.  It is often called "Ethernet".

 

Then, try lowering the MTU a lot on the interface on each server:

netsh interface ipv4 set subinterface “Ehernet” mtu=1300

If that fixes, try again with maybe 1400.  If you find a size that fixes it, make the change permanent on the server with:

netsh interface ipv4 set subinterface “Ethernet” mtu=1300 store=persistent

If it doesn't fix it then rerun the command with an MTU of 1500 to roll it back.

 

 

I have also run into issues with ISPs where the upstream and downstream traffic have different travel times.  You can mitigate this problem in Windows by enabling TCP timestamps. 

netsh int tcp set global timestamps=enable

 

Sometimes in Windows you need to disable bandwidth throttling (yes, Windows has this enabled by default!!!).  Do this in Powershell.

Set-SmbClientConfiguration -EnableBandwidthThrottling 0 -EnableLargeMtu 1

 

And if all of that fails, try the SMB tuning guide:

https://learn.microsoft.com/en-us/windows-server/administration/performance-tuning/role/file-server/...

 

 

You could also consider doing a packet capture in case something else is happening, like a lot of packet loss, out of order packets, etc.

AlexL1
Meraki Employee
Meraki Employee
a week ago
a week ago

Hi JThomas9999,

I hope your day is going well.

 

Please, provide more detail information and perform the following next steps:

  • Is it a new deployment?
  • Did it work before as expected? When did the issue start happening?
  • Do these MX75s connecting to Meraki switches? How are they connected - via SFP module with Fiber optic or CAT. cable?
  • Have you upgraded the MX75 to the latest firmware version MX18.211.5.2?
  • Have you upgraded the Meraki switches to the latest firmware version MS17.2.1.1?
  • Is the upload, download or both speed slow?
  • What's the expected speed?
  • Is only the File transfer impacted or all other traffic and protocols?
  • Are you sure that the issue is related with the Meraki AutoVPN and not on one of the sites? Please, perform the next steps and send the results.

 

Point 1 - MX75 - Small branch with up to 200 devices - Max Throughput with All Advanced Security features* 1 Gbpshttps://documentation.meraki.com/MX/MX_Overviews_and_Specifications/MX75_Datasheet

 

TEST 1 - Outside the Tunnel - ISP 1 - Connect a PC directly to MX LAN port site 1 - speedtest.net - what's the result?

TEST 2 - Outside the Tunnel - ISP 2 - Connect a PC directly to MX LAN port site 2 - speedtest.net - what's the result?

 

TEST 3 - Inside the Tunnel - Connect a PC1 (iPerf Server) directly to MX LAN port site 1 and another PC2 (iPerf Client) do the another MX LAN port site 2 - what's the result?

  • If the upload and download speed is expected, that means the issue is downstream switch on one of the sites.
    • Move PC1 in site 1 to the downstream switch, leave the PC2 connected on the MX LAN port site 2 - what's the result?
    • Move PC2 in site 2 to the downstream switch, and move back the PC1 connected on the MX LAN port site 1 - what's the result?

 

Point 3 - If the downstream switch is MS130 and the MS130 switch is connected to the MX on it's mGig port, firmware version MS17.2.1.1 resolves the issue - "Some MS130-X switches to experience slow upstream when connected directly to an MX device via an mGig port"

 

Point 4 - As Mloraditch and RWelch mentioned a MTU issue - https://documentation.meraki.com/General_Administration/Tools_and_Troubleshooting/Troubleshooting_MT...

 

 

Additional useful documentations:

 

 

If you have any questions, please let us know.

 

 

If you found this post helpful, please give it kudos.
If my answer solved your problem, click "accept as solution" so that others can benefit from it.

If you found this post helpful, please give it kudos.
If my answer solved your problem, click "accept as solution" so that others can benefit from it.
cmr
Kind of a big deal
Kind of a big deal
a week ago
a week ago

Which VPN client are you using, the same version of AnyConnect that was used with the ISR4000s?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
JThomas9999
Conversationalist
Tuesday
Tuesday

Thanks for all the responses, but I didn't make it clear, this is a site-to-site auto-VPN, so the anyconnect client version is not relevant here. We will investigate the MTU and possibly have Meraki change it if necessary.

In response to JThomas9999
cmr
Kind of a big deal
Kind of a big deal
Tuesday
Tuesday

What lies beneath the auto VPN?  i.e. circuit types and bandwidths, are they on the same carrier, are they DIA or private etc.?

 

Have you set the bandwidth of each circuit correctly on the MXs at each end?

If my answer solves your problem please click Accept as Solution so others can benefit from it.
0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco ID. If you don't yet have a Cisco ID, you can sign up.
Labels
© 2025 Cisco Systems, Inc.