Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
806
Views
0
Helpful
3
Replies

Most stable type of Site-to-Site VPN connection

ddennis
Level 1
Level 1

‎10-20-2020 08:34 AM

I have a question that I couldn't find an answer for. I currently have a site-to-site VPN setup with a remote hospital. It gives us the capability for our Doctors to be able to read images from our hospital at the remote one. We have started to see issues recently with the applications. Slowness mainly and sometimes the inability to launch applications. We have determined that this is being caused by a lack of connectivity back to our in house servers. The connection seems to flutter and will be okay and operating normally for a short period but as of recently the majority of the time the applications are becoming unusable.

 

We are identifying the potential issues that could be causing the fluctuation in the stability of the VPN. However, it got me thinking that if I was to completely redo the VPN connection then what would be the best settings to use?

 

We currently own a Firepower 2100 model that does our S2S VPN's. We can use IKEv1 and IPSEC or IKEv2, but regardless I'm looking for the most stable settings to achieve this VPN (hashing, encryption, lifetime, pfs, keepalives, ipsec settings, etc..). Alternatively are there other VPN settings that would be used for a faster type of connection?  My main focus is to find a VPN configuration that will meet the needs for reading and sending large images related to Catscans, Xrays and other studys.

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎10-20-2020 08:41 AM

2100 able to handle kind of traffic you expected to transfer ? what kind of links (internet speed you have ? ? Do you have any ACL policy to use only Hospital applicaiton, how is your Internet breakout for the remote hospital ?

 

2100 FP is remote end or main office, if this is main office what is remote end ?

 

Do you have application bandwidth requirement, how many users in remote end need to use at a time, is this issue only with 1 hospital or all the hospitals ?

 

how about local usage of same applicaiton is that works as expected ?

 

VPN major tuning we see only MTU / ACL - rest all config is mutual agreed between Firewalls that is standard.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Aref Alsouqi
VIP
VIP

‎10-21-2020 05:20 AM

The VPN tunnel settings themselves would not affect the traffic flowing through the tunnel. From the sound of it, it seems to be an issue caused by some traffic congestion or maybe lack of computing resources. Do you have any monitoring system in place? also, please share the diagram of the traffic flow for review.

0 Helpful

MHM Cisco World
VIP
VIP

‎10-21-2020 02:39 PM

X-ray image or CT scan image are huge data,

the VPN here is not the problem the problem is overhead of VPN.

now let assume your edge router deal with MTU 1500

if receive more than 1500 then it will fragment it and send.

this fragment need cpu and hence the edge router be slow and app face issue.

so IPSec VPN i am not wrong have 40 bytes additional header and even this small (40 to 1500) is so small edge router fragment.

so best solution reduce the mtu to 1420 and see result.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents