Re: Anyconnect: Intranet download slowness when at Netherlands

icaro.omartinez · ‎02-14-2022

Hi!

Here in my office we are about 17 users, this is a company from Brazil and we have offices at Singapore, Geneva, Pittsburgh (USA), Amsterdam. When working from home or when traveling for work we use the VPN to have access to some productivity tools available in the intranet.

Amsterdam office faces a significant slowness when downloading from intranet. There is a 450mb file available in there which takes about 25~30 minutes in all other subsidiaries but in Amsterdam it takes about 6 hours.

We tested with multiple providers in Netherlands, we also tried from a different town and the result is the same. We are curious here if there is any known port restriction (or any other restriction) at Netherlands which leads to this result. One curious point is that we face same trouble when accessing intranet from our office, the same tunning is applied for all offices around the globe.

This company uses Cisco solutions for firewall, switchers, routers and more.

Thanks in advance.

UdupiKrishna · ‎02-14-2022

Just spitballing, but some ISP(s) tend to control/restrict traffic through their networks. From anyconnect perspective, when it comes to bandwidth speeds, I would suggest exploring DTLS if not enabled already. It definitely helps is some cases.

If the users from Netherlands are using DTLS already, I would start at capturing packets after these connections land on your firewall to calculate overall response time with in youe internal network (though i understand it works fine for other regions). Beyond that, there isn't much that can be done since any ISP could be throttling traffic.

It's also fair to consider the number of hops/networks this traffic has to pass through geographically which can always introduce delays.

icaro.omartinez · ‎02-16-2022

Hi,

we had DTLS on in the past but it's off nowadays cuz it was giving some problems.

Do you think I should contact the ISP to verify what is going on?

UdupiKrishna · ‎02-16-2022

From personal experience they may deny or not provide enough insights, but as suggested once you rule out your internal network, look for any weird routing through traceroute/pathping between your user's IP and firewall public IP. Compare them against the working countries.

The routing of course would be different, but after certain hops they may show similar IP addresses closer to the destination. Beware that some routers/devices on the ISP network may not respond to ICMP and the trace may fail too.

Aref Alsouqi · ‎02-14-2022

I would think it could be something related to the host at Amsterdam where the file you are trying to download is located. Did you try to download another file located on a different host at Amsterdam site?

icaro.omartinez · ‎02-16-2022

Hi,

The file is hosted in the intranet server located at Brazil and it is downloaded at acceptable speed from other offices which use same VPN connection.

In Pittsburgh (USA) we have an office like here in Amsterdam, using same AnyConnect settings for end-users and at the office same tunnel settings to be in the domain's network. The speed there is acceptable, the 450mb file hosted in our intranet server is downloaded in about 30 minutes while here in Amsterdam takes 6 hours.

I still attached to the idea of restrictions within Dutch telecom services on a territorial wise. The issue happens doesn't mattering if I am using 5g by Vodafone, home internet by Ziggo(vodafone), dedicated link, T-Mobile, if I am at The Hague, Rotterdam or Amsterdam. Users from Geneva, for exemple, experiences an acceptable speed as well.

Thanks for the attention all of you, I am carrying the suggestions to the ICT team.

Aref Alsouqi · ‎02-16-2022

Hi, yeah I think you are right, it seems that the traffic from Netherlands could be subject to some sort of inspection maybe. One thing probably I would try to do is to try to download any other file located in Brazil, not at the same DC, anything really and see if the speed looks any better. If not then it would be defo something to do with the way how the traffic between Netherlands and Brazil is being dealt with.

icaro.omartinez · ‎02-16-2022

Aref, in case of proceed with an inspection you think I should do it with Cisco or with the providers in Netherlands?

To download any file from any Brazilian host is ok, the issue only happens for intranet. I will try to copy the file to a different server which its location is covered by a different ISP to perform tests and I will come back asap.

thanks!

Aref Alsouqi · ‎02-16-2022

If the Netherlands ICT do any inspection on the traffic flowing from the Netherlands to Brazil then this is something you wouldn't be able to interact with. Personally I don't believe this would be the case. Now you said that downloading any file from any Brazilian host seems to be ok, and the issue seems only to be with the intranet, then I would highly recommend to raise with this the ISP, there might be something wrong in terms of routing between the ISP in Brazil and the ISPs in Netherlands. Long time ago I ran into some funny issues in Italy, and it was caused by some wrong routes on the ISP side. Do you see anything weird when you try to do a traceroute from Netherlands to Brazil comparing to a traceroute from another country where this issue doesn't exist?