So running into this issue where some users are getting slow connection speeds while on VPN (Pulse secure). This is pretty random because our sysadims are getting pretty decent speeds from home when testing. I’ve included some of my troubleshooting steps and relevant info bellow:
Testing from Dirty ISP switch (external IP) connected to VPN and IPERf test → 36Mbps
Testing from target users PC while on VPN using Iperf to internal server → 3Mbps per sec
SysAdmins Testing From home PC while on VPN using Iperf to internal server → 10Mbps per sec
Pings from remote users to SA appliance are in the 30-40 ms range
ssl encryption which is a requirment for compliance.
17 remote users
50 Mbps pipe
So we already planning on upgrading our connection speed which i know is playing a role in the performance, but speed test during off hours using Imperf show impacted bandwidth performance for some remote users and not for others.
any ideas or helpful troubleshooting steps that i may have missed.
So you are using SSL for the tunnel mode and not ESP? I found that there is a hard limit when a user is in SSL tunnel mode. It’s right about 3Mbps. I chalked it up to one being TCP while the other is UDP based.
Just because I dealt with a similar issue recently…Check the MTU settings on the client machines and look at MSS clamp settings on the tunnel. A packet capture should identify excessive fragmentation which could lead to throughput issues.
Agree on this point.
Also what are the users doing that they are getting poor performance (file copy, sftp/ftp, ssh, etc…)
What is your Internet circuit BW? Any other issues with the circuit such as drops, utilization, etc…?
If you are using Pulse I assume you are using MAGs. Any high cpu util or throughput issues being seen? Anything in the logs that seem odd?
So we’ve run Speed test (speedtest.net)locally, which are in the 150Mps range. but i have read that this inst that reilable. i have yet to run ipef to an external iperf server. I’ll do that right now
interesting. I was thinking that there was a cap, but i am able to get higher Mbps rates from other external users while connected via SSLVPN via iperf testing. May I ask where and/or how you got the 3Mbps cap for SSLVPN?
their biggest pain point is file copy/transfer on/to our CIFS. Internet Circuit BW is 50Mbps up/down. We are using MAGs, CPU utilization is steady at around 15%
Just so we are one the same page… There is a setting under the connection profile to pick ESP or SSL. You have that set for SSL? Is that correct? If that’s the case it might be the protocol mix that caps the bandwidth. I saw the 3Mbps during a Lync call. With the VPN there was a hard cap. Once we fixed that user local network connection, that cap went away (and he was connecting in ESP mode).
file transfers would probably take performance hits - just thinking about it high level - A bunch of data getting encrypted and encrypted. Not as light weight as say a telnet session. So to diagnose I would get users who are complaining to get a speedtest. Then get a circuit utilization chart of your Internet BW. See where we are…
makes sense that there would be some a drop on performance. but this shouldn’t effect the “sustained” bandwidth that is reported via iperf, right? I just ran a test from a user on the VPN.
6Mbps to internal iperf server
22Mbps to external iperf server
we are using split tunneling so the test to the external iperf server bypassed our network and only used hers.
another thing is that i know the SA can hit higher BW rates, because on my test on our dirty switch I hit 36Mbps while on the VPN to an our internal iperf server…but i get that its really not traversing the internet and basically just hitting our gateway and getting routed back in.