I recently discovered that one of my clients is getting terrible throughput on their branch office VPNs through their watchguards. They have a hub and spoke topology with an M200 at the main hub and T10/T30s at their remote sites.
Their remote sites have 10-20 users max but any data through the tunnel goes miserably slow and testing a basic file transfer (1 large file) only gets .5-1 mbps transfer rate despite having 100 mbps up/down at the main site and at least 20/20 at remote sites. They use terminal sessions to interface with an ERP software but it regularly takes almost a minute to print anything locally through the tunnel.
We dont have any security on the tunnel beyond encryption, we've lowered phase 2 encryption to 3DES/SHA1 (Phase 1 is already on 3DES, IKEv1).
I am thinking this is a physical limitation of the watchguards, Watchguard support blames the ISP though we have no internet issues whatsoever. I suspect that it may be an issue with MTU size (if I use -f -l switches on a ping test I can only get a packet through with an MTU of 1394). MTU on the firewall is set to 1500 but I can only adjust it on the WAN interface and not the VPN itself so I'm hesitant about lowering it.
Has anyone had experience with watchguard tunnels like this before?
No comments:
Post a Comment