ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Solved VPN File Transfer Problems

    IT Discussion
    9
    34
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      notverypunny
      last edited by

      Looking for ideas with file transfers over the VPN to our remote sites.
      FileTransfer.png

      The roles of "Server A" and "Server B" can be done by any server in the main datacenter, physical install or VM doesn't matter. Server and client roles have been tested on Server 2012, 2016 and a couple of different flavors of Linux all with the same / similar results. The remote site file transfer results are best case, right now before anyone's in. Typically during the day I'm getting 500K against Server A

      Looped in vendor support for the firewalls and they aren't seeing any drops, errors or issues with the VPN connection.

      I'm seriously at my wit's end on this one..... I've tried with and without flow control on the server side of things with no change, tried playing with driver settings for the servers on the windows side of things all for nothing.

      The 10G NICs are Intel x520 if it makes a difference. From server to server across the fiber links we're able to get approx 500MB/s during business hours, didn't connect over the weekend to do any baselines with mother's day and having done OT the last 2 weekends on our VDI servers.

      1 Reply Last reply Reply Quote 0
      • 1
        1337
        last edited by 1337

        What's the ISP speed? Are the remote sites on the same provider?

        N 1 Reply Last reply Reply Quote 0
        • N
          notverypunny @1337
          last edited by

          @Pete-S remote sites are scattered across Canada and the US. Different ISPs, variety of speeds, same / similar results proportional to the site's connection.

          1 Reply Last reply Reply Quote 0
          • 1
            1337
            last edited by

            @notverypunny said in VPN File Transfer Problems:

            @Pete-S remote sites are scattered across Canada and the US. Different ISPs, variety of speeds, same / similar results proportional to the site's connection.

            So the problem isn't the speed itself?

            The problem is at the remote site where Server A only get 10% of the speed of Server B?

            1 Reply Last reply Reply Quote 0
            • T
              TX1TGUY
              last edited by TX1TGUY

              I would suggest looking around on your switch, firewall, and MODEM for your ISP to see if there is any QoS things setup anywhere.

              Make sure your ISP speeds are consistent. Also remember, ISP uses Mbps and where file transfer speeds are based on MB/s. One is data speed, other is file speed. So if you have 30Mbps upload you will only see a 3MB/s download on the file transfer speed.

              1 Reply Last reply Reply Quote 0
              • D
                dafyre
                last edited by

                Are the FG's Fortigate units?

                The last set I used if you enabled anything at all, you'd take a performance hit.

                N 2 Replies Last reply Reply Quote 0
                • S
                  scottalanmiller
                  last edited by

                  If it varies by server at a single site, then the ISP can't be the issue as the ISP can't tell one server from another. It has to be something else.

                  N 1 Reply Last reply Reply Quote 2
                  • N
                    notverypunny @dafyre
                    last edited by notverypunny

                    @dafyre Yes. Fortigate 501E HA pair at the datacenter / main office, a 101E at the largest US site, 81E everywhere else. All on FW 6.0.4....

                    My current theory is that when the data hits the 501E @ 10G there's something that comes into play to slow things down for the VPN tunnel and it's "throttling" too aggressively. I could understand if I was getting the same results for all DC servers at the remote sites, but that the 10G servers are roughly 10% of the speed consistently over the tunnels...

                    1 Reply Last reply Reply Quote 0
                    • N
                      notverypunny @scottalanmiller
                      last edited by

                      @scottalanmiller Exactly..... I think my next step is going to be to connect to a unused 1G port on the 501E to see if it's the FG all on it's own that's messing with things.

                      1 Reply Last reply Reply Quote 0
                      • N
                        notverypunny @dafyre
                        last edited by

                        @dafyre said in [VPN File Transfer Problems](/post/

                        enabled anything at all, you'd take a performance hit.

                        Can you elaborate on the "anything at all"?

                        We've got a couple of prioritization rules in play for SIP, but everything else over the VPN link is disabled.

                        1 Reply Last reply Reply Quote 0
                        • 1
                          1337
                          last edited by 1337

                          First off you have to look at the traffic. I assume fortigate has a web interface. So how much traffic goes over the IPSEC tunnel when you transfer a file? How many tunnels do you have? How much traffic goes over the WAN interface?

                          What's the cpu load on the fortigate when transferring files? If the hardware can't offload the IPSEC don't expect anything near what the specs say. Firewall probably has a very low spec cpu inside. Often openvpn can't be offloaded like ipsec so look at the specs for openvpn on the firewall to get a ballpark figure what you'd get on ipsec that is not hardware offloaded.

                          Actually looking at Fortigate 101E specs, it can do 250 megabits/s of openvpn. So expect something like that for total throughput over IPSEC if it's not hardware offloaded. Some QoS and packet inspection might cause it to not be able to hardware offload. That is one thing that can cause a severe performance hit like what @dafyre was talking about.

                          Second, best practice is to run the same ISP for VPN links because you want to be on the same backbone. If you don't, you should expect slower link speeds. You're not going to get 10MB/s over a 100Mbit link or 100MB/s over a 1Gbit link.

                          For detailed analysis you need to do packet capture to see what is happening. Just as an example I had a problem with one VPN link that turned out to be a LACP problem on the switch.

                          N 1 Reply Last reply Reply Quote 0
                          • 1
                            1337
                            last edited by 1337

                            Anyway, like anything you have to approach it logically so you can eliminate things.

                            For instance just looking at the link can you run iperf or similar test between the firewalls (on the firewall itself)? Preferably with random data. In that case you can check what your actual vpn link speed is and then if that is slow you can exclude anything that has to do with servers and switches.

                            1 Reply Last reply Reply Quote 0
                            • N
                              notverypunny
                              last edited by

                              Appreciate the insights and advice, but just to be clear, my main point of concern is that I can get up to 10x the speed traversing the same VPN / ISP and network infrastructure when the server is on a 1G copper link in the data center as opposed to when the server is on a 10G fiber link in the data center. I'm fine with disparity from site to site and it's of course to be expected given different ISPs, network conditions and workloads at the different locations.

                              I've done some iperf based testing on the issue already and have shown that raw wan speeds are acceptable and that I can get substantially more speed on iperf than with file transfer. I've also have seen that iperf on windows is garbage, the speeds are nowhere near what I'm getting on as close as I can get to a like for like comparison with linux.

                              1 Reply Last reply Reply Quote 0
                              • N
                                notverypunny @1337
                                last edited by

                                @Pete-S said in VPN File Transfer Problems:

                                Just as an example I had a problem with one VPN link that turned out to be a LACP problem on the switch.

                                Do you recall what the LACP issue was? It's in-play in a couple of points along the path in the data-center.

                                1 1 Reply Last reply Reply Quote 0
                                • D
                                  dafyre
                                  last edited by

                                  If your servers have Intel or Broadcomm nicks in them, you may want to test disabling VMQ.

                                  DashrenderD 1 Reply Last reply Reply Quote 1
                                  • 1
                                    1337 @notverypunny
                                    last edited by 1337

                                    @notverypunny It was some kind of configuration error on the switch. I think the server tried to negotiate LACP while the switch didn't reply as it should and thought it was some kind of loop going on. Traffic would pass but intermittently. From the outside it looked like it worked but slower. Looking closer at packet captures there was a lot of unusual packets which is the reason we started to look at the switches. After reconfiguring the port from scratch everything worked, so I don't know exactly what it was.

                                    1 Reply Last reply Reply Quote 0
                                    • DashrenderD
                                      Dashrender @dafyre
                                      last edited by

                                      @dafyre said in VPN File Transfer Problems:

                                      If your servers have Intel or Broadcomm nicks in them, you may want to test disabling VMQ.

                                      I thought that issue was fixed a while ago?

                                      JaredBuschJ 1 Reply Last reply Reply Quote 0
                                      • JaredBuschJ
                                        JaredBusch @Dashrender
                                        last edited by

                                        @Dashrender said in VPN File Transfer Problems:

                                        @dafyre said in VPN File Transfer Problems:

                                        If your servers have Intel or Broadcomm nicks in them, you may want to test disabling VMQ.

                                        I thought that issue was fixed a while ago?

                                        In theory.

                                        1 Reply Last reply Reply Quote 0
                                        • D
                                          dafyre
                                          last edited by dafyre

                                          The newest piece of gear I have is a Dell R730xd (purchased last year) and we had to disable it on that one. Server 2012 R2 as the host OS. I can't remember which NIC it has off the top of my head, but we did disable VMQ on all the network adapters in that system.

                                          S 1 Reply Last reply Reply Quote 0
                                          • S
                                            scottalanmiller @dafyre
                                            last edited by

                                            @dafyre said in VPN File Transfer Problems:

                                            Server 2012 R2 as the host OS.

                                            That might be your issue right there. That's OLD.

                                            D JaredBuschJ 2 Replies Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 1 / 2
                                            • First post
                                              Last post