Hey guys,
I'd first like to say that I'm a younger guy who got hired at a company with only one other guy who has any general sense of networking. I've yet to be thrown in a scenario like this, and it's causing a bit of stress because our end users are directly affected by this. I don't quite know the depths of networking that well, but am learning what I feel to be rapidly.
I got hired at a company that has the need to send insane amounts of data to remote sites over IPsec VPNs. These remote sites have substantial bandwidth that I'm 100% sure is not the problem. 1 Gbps Fiber Up/Down on both ends (best case scenario that is still experiencing slowness).
We're tapping into 50-60 mbps, TOPS, to these remote sites.
The core issue, is that these connections are sending at such ridiculous speeds once we hit our ipsec VPNs over the wan. My core theory is packet fragmentation and I believe Wireshark confirms this. All I see is reassembled packets retransmitting at an alarming rate. I haven't had to sniff packets at all before, so I'm not sure if what I'm seeing is normal.
From what I understand, a standard MTU is 1500 which I confirmed our Fortigate 200D firewall is set to. A standard TCP MSS is 1460?
1500 - 20 IP header - 20 TCP header = 1460 bytes for data? Max Segment Size?
This does not account for the VPN header, which from what I understand, could be anywhere from 60-100 bytes (We use 3DES and SHA1). We're sending fragmented packets all the time...
This led me to a lot of research that people have had success dropping MTU to 1400 and clamping the TCP MSS to 1350-1300.
Can someone please point me in the right direction in the slightest bit? Is my thinking, at all correct? I don't quite know where to turn as I feel we've got a serious networking issue, but am not quite knowledgeable enough to act upon a concrete theory.
Any and all help would be GREATLY appreciated.
No comments:
Post a Comment