Sunday, January 27, 2019

Palo Alto: Poor IPSEC VPN throughput

We have a pair of PA's terminating a couple of s2s vpn's and acting as globalprotect gateways.

We've had numerous reports of poor GP performance. And I've been able to reproduce this myself. For example at home I have 200mb fibre, but when connected to gp VPN I get speed test results in the range of 60mb. Iperf from my VPN client tonan internal server comes in about the same range, when LAN side from the Palo's everything is 1gb.

Initially we thought this was just a gp issue, but now I've had a colleague working at a remote site, connected back via s2s VPN, stating that file transfers to a server on the other side of the VPN are also much slower than expected. so this seems to be an issue with IPsec as a whole on these pa firewalls.

Both VPN setups terminate on the same physical interface (1gb full duplex, MTU 1500), but different tunnel interfaces.

Adjust TCP mss is enabled, and I can see the mss being set to 1360 during TCP handshake. Saying that, there are still an amount of retransmission and duplicate acks seen when I carry out a pcap on the fw or the client.

Everything I've read point to a MTU/mss issue but I'm struggling to narrow down .I've changed the MTU on the tunnel interface, in the physical interface, on the client virtual network adaptor, all without success.

Anyone able to offer advice?



No comments:

Post a Comment