We have a vendor with Cisco CSR1000v routers within our network connecting back to their datacenter via DMVPN at multiple locations of ours. These VPNs use internet from our sonicwall devices but are not terminated directly in the sonicwall devices. We were not getting the throughput we needed across these connections and we thought it was the licensed limit at first but they put a trial 5g license on one and it did not fix the issue. What we are seeing is that the IKE traffic that goes from our LAN interface to WAN interface on the sonicwall (at multiple sites) is limited to almost exactly 50mbps at some sites despite the internet connection being 1gbps and the license being either 100mbps or 5gbps.
When I say exactly, I mean a completely flat line at these sites with between 200mbps and 1gbps internet connections. It almost looks like something that is limited by traffic shaping or interface speed. These 50mbps limits are not see when we have any traffic other than encrypted VPN traffic. Website speed tests get appropriate speeds as to iperf3 tests across the internet, just not iperf3 tests across the DMVPN.
When our vendor was on site today they made the connection that our sites with sonicwall NSA2600 or NSA3600 devices were limited to 50mbps but sites with 2650 routers were able to get between 2 and 5x more throughput. We actually replaced a device today at a site with 500mbps internet to upgrade a 2600 to 2650 and saw a dramatic improvement. Software version and configuration doesn't seem to be the limiting factor. The sites with the 2600 and 3600 have the exact same limit as a site we have a TZ300 which we just upgraded to 1gbps connection. (2650 firewall is currently being configured to replace it)
Is there some sort of limit that is not published for these devices?
No comments:
Post a Comment