Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6373
Views
0
Helpful
3
Replies

How slow should client VPN make a file transfer(cifs/ftp)

Eric Hansen
Level 1
Level 1

‎01-14-2011 09:01 AM

I have a active/passive 5550 sitting in parallel with the company 5540 firewalls, about 20-40 Anyconnect users teleworking.  Recently complaints came in about file transfer speeds while on the VPN.  The company ISP link is a DS3, with low usage and medium spikes.

So in testing I first checked speed/duplex, no issues there.  MTU is 1460.  So I setup a FTP server on my desktop and setup a NAT rule for the interesting FTP ports and made it visible through the corperatee firewalls.

When connected from my home to the VPN with Anyconnect I try to FTP down a 1.3 gig avi file and I average about 112KB/sec.  When I connect to the FTP server via the NAT(not using VPN) my download speeds up to about 1.2MB/sec.  These two attempts were 5 minutes apart.  My home internet is 40meg cable.

I had another user on another isp, and considerably slower service(dsl 1.54), he averaged 32KB/sec on VPN and 88KB/sec off VPN.

Seems to be a huge loss of throughput.  Is that normal?  If its expected then I'll live with it but that seems like a lot of overhead for SSL VPN.

Any help is greatly appreciated.

e-

Labels:
0 Helpful
3 Replies 3

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎01-14-2011 09:21 AM

Eric,

First thing you need to check if you're using DTLS and compression (former one is HIGHLY recommended, latter one not recommended for broadband). Check "show vpn-sess svc" output to see if you're using DTLS (and not that it's only configured).

Second we need some info about latency and packet drop. ping and iperf can show some information.

Third a packet capture showing the exact transfer on the wire (inside interface of ASA is fair enough)

Marcin

0 Helpful

Eric Hansen
Level 1
Level 1
In response to Marcin Latosiewicz

‎01-14-2011 09:38 AM

DTLS is running, but not on every user that is connected.  Which seems odd.  I am not

at home, so i connected using a verizon myfi and it connected as DTLS.

svc compression wasnt explicity on or off, there was a svc compression deflate on the webvpn portion of the attributes for every group policy.  I passed in a "no compression svc" globally and a "svc compression none" under the webvpn attributes for my group policy

Ping doesnt drop any packets, tracert shows 3 hops while connect with an average latency of 135ish.

I am setting up iperf and will get a packet capture.  Is there something that should stand out in the decode?  Being on the myfi the tranfer rate is about 102KB/sec, which immediatly is better then my home 40mg connection.  This was after the "no compression svc" was put in.  Could that alone be it?

-e

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Eric Hansen

‎01-14-2011 09:45 AM

Eric,

SVC Compression is most of the time not needed anyway - it was designed with low bandwidth solutions in mind.

Check:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCte69234

Well in capture - first of all let's make sure we get 3 way hand shake.

In transfer itself we're looking for retranmission, Duplicate ACKs, out of order packet - performance killers.

For non-DTLS users lower performance is expected, a typical TCP-over-TCP problem.

Marcin

0 Helpful
Customers Also Viewed These Support Documents