Your client VPN tunnels are experiencing high latency or slower throughput than expected. For instance, file transfers through the VPN tunnel take extended periods of time, or client requests such as telnet or FTP receive slow responses.
VPN Client performance depends on several factors including processor (CPU) power, levels of encryption, Internet connection bandwidth, and others. Use the following information to troubleshoot VPN performance issues:
The following items affect VPN performance On the client
CPU processing power of the client computer.
Bandwidth (speed) of the Internet connection.
On the server
CPU processing power of the firewall/VPN server.
The VPN Policy being used for the tunnel such as encryption and integrity level, data compression, and rekey intervals.
Proxy analysis of packets (configuration of rules to pass traffic to the proxy services).
NAT types, if being used.
The patch level of the firewall/VPN server.
Techniques to increase VPN tunnel performance Try the following techniques to improve the performance of the VPN tunnel:
On the client
Increase CPU processing power.
Eliminate or stop nonessential processes that use CPU time.
Increase the bandwidth of the Internet connection by using direct access (cable/DSL) in place of dial-up connections, if possible.
On the server To free memory, stop unnecessary proxy services on the firewall such as SQLNetd, NNTPd, and others. Note: Disabling proxy daemons lessens the ability of the firewall to fully examine packets at the application layer and may lower the degree of security established on the system. Only disable proxy services if you are certain that they are not in use by the firewall either directly (for instance, DNSd) or indirectly (in rules). If you are not sure of the effect of disabling certain proxy services, consult a Technical Support representative before disabling proxy services.
VPN Policy parameters
Disable Compression on the VPN Policy
Set rekey limits to their defaults (Data Volume: 2100000, Lifetime: 480, Inactivity: 0)
You may also try using a DES VPN Policy in lieu of a 3DES VPN Policy if CPU power is a concern.
Disabling/Enabling VPN tunnel use of the Proxy Services
In most cases, a VPN Policy that uses the Proxy services is only requiredwhen the administrator wishes to:
Restrict access to services through the tunnel (for instance, only telnet is allowed through the tunnel)
NAT'ing is necessary for packets to return to the firewall (that is, the internal hosts behind the firewall/VPN server do not use the firewall/VPN server in any way, shape or form as their default gateway).
If you do not need to restrict access to specific services through the tunnel (all ports and protocols are allowed through a VPN tunnel to the defined Local Entity of the Secure Tunnel) and,NAT is not necessary because internal hosts use the firewall/VPN server as their default gateway, this setting can be disabled. However, if you wish to restrict services to the tunnel or must use the NAT feature of the firewall/VPN server, this setting must be enabled.
To disable the Proxy Services feature, on the VPN Policy used by the tunnel, clear the "Pass Traffic from the Secure Tunnel to the Proxy Services (Required for NAT)" check box.
Proxy Services There are several rule-based items you can analyze and change to improve the throughput of a VPN tunnel that uses the Proxy services:
Make the VPN rules as specific as possible (including Source, Destination, Out Via, and the Services). If possible, try to avoid multiple rules identifying
as a source as the firewall scans the entire rule database to determine a "best fit" application.
If possible, avoid using "all*" as a service in rules, but rather specify the individual services for the VPN rule.
Disable "Log Normal Activity" (on the Miscellaneous tab). This will stop the Logging daemon from logging activity that this rule applies to.
Disable "Application Data Scanning." Disabling this feature invokes the FastPath mechanism (HTTP) or the Kernel Proxy (all other Proxy services) for those services that apply to the specific rule. For information on FastPath and the Kernel Proxy, review the Firewall documentation provided with your product.
Address Transforms If you need to use Address Transforms (the firewall/VPN server NAT functionality), try the following to improve performance:
Use the "Use Gateway Address" option in the Address Transform in place of a NAT pool.
Make the Address Transform specific to your VPN Tunnel (the "best fit" method applies to Address Transforms as it does to rules. See item 4.1, above), and leave the default VPNTunnelExitTransform and VPNTunnelEntryTransform at their defaults.
Imported Document Id
This is machine translated content
Login to Subscribe
Please login to set up your subscription.
Didn't find the article you were looking for? Try these resources.