Slow File Transfer over Site-to-Site VPN

ICT-Support · ‎07-27-2011

All,

I am noticing the following issue with one of our VPN connections:

Site A is connected to the Internet with an ISA Firewall

Site B is connected to the Internet with a CISCO 5505

Both sites are connected together via a VPN

Both sites have around a 6MB up and 6MB down connection to the Internet

If I sent a 100MB file from Site A to B it takes around 30-45 minutes to copy, which to me seems excessive.

I've run Wireshark on the server sending the file (from Site A) and the desktop receiving the file (Site B). Initially, the server sending the file was generating a large number of TCP DUP ACK, TCP FAST RETRANSMISSION, TCP PREVIOUS SEGMENT LOST AND TCP OUT-OF-ORDER messages. I narrowed it down to IPv4 Checksum Offload and IPv4 Large Send offload which I disabled on the server. This sped up the file copy and massively reduced the errors in Wireshark, but not to what I think it should be. I then performed Wireshark logging on the desktop receiving the file which was also generating a large amount of TCP DUP ACK, TCP FAST RETRANSMISSION, TCP PREVIOUS SEGMENT LOST AND TCP OUT-OF-ORDER messages. I disabled IPv4 Checksum Offload and IPv4 Large Send offload options on the network card of the desktop and tried resending the file, which made no difference in speed and still generated the above messages in Wireshark.

I have run an mturoute between site A and B and get the following:

C:\temp>mturoute.exe 10.0.66.2 (to PC on site B)

* ICMP Fragmentation is not permitted. *

* Speed optimization is enabled. *

* Maximum payload is 10000 bytes. *

.- ICMP payload of 1472 bytes is too big.

+ ICMP payload of 92 bytes succeeded.

+ ICMP payload of 782 bytes succeeded.

+ ICMP payload of 1127 bytes succeeded.

+ ICMP payload of 1299 bytes succeeded.

+ ICMP payload of 1385 bytes succeeded.

- ICMP payload of 1428 bytes is too big.

+ ICMP payload of 1406 bytes succeeded.

- ICMP payload of 1417 bytes is too big.

+ ICMP payload of 1411 bytes succeeded.

+ ICMP payload of 1414 bytes succeeded.

+ ICMP payload of 1415 bytes succeeded.

- ICMP payload of 1416 bytes is too big.

Path MTU: 1443 bytes

C:\temp>mturoute.exe 10.0.1.22 (to Firewall on Site A from PC on site B)

* ICMP Fragmentation is not permitted. *

* Speed optimization is enabled. *

* Maximum payload is 10000 bytes. *

...- ICMP payload of 1472 bytes failed. (IP_REQ_TIMED_OUT)

+ ICMP payload of 92 bytes succeeded.

+ ICMP payload of 782 bytes succeeded.

+ ICMP payload of 1127 bytes succeeded.

+ ICMP payload of 1299 bytes succeeded.

+ ICMP payload of 1385 bytes succeeded.

.- ICMP payload of 1428 bytes failed. (IP_REQ_TIMED_OUT)

+ ICMP payload of 1406 bytes succeeded.

.- ICMP payload of 1417 bytes failed. (IP_REQ_TIMED_OUT)

+ ICMP payload of 1411 bytes succeeded.

+ ICMP payload of 1414 bytes succeeded.

+ ICMP payload of 1415 bytes succeeded.

.- ICMP payload of 1416 bytes failed. (IP_REQ_TIMED_OUT)

Path MTU: 1443 bytes

Does anyone think I have an MTU problem somewhere?

Cheers,

Simon.

Lee Valentin · ‎07-27-2011

What's the latency between the sites? Also, are you transferring between Windows Server and or Windows XP?

What you are seeing through your captures is a result of high latency. Measure your latency between the two sites with ping/traceroute and also take into consideration what utilization is on each side. I'm sure you've done this but check for any duplex/mismatches along the path.

Windows XP, Win 2003 each have a limitation of 524288 bits for TCP traffic. Let's use 81ms as an example.

524288 bits / .081 seconds = 6Mbps of throughput

This link has a great explanation of the calcualtion and expectations of throughput. Good luck and hope it helps

http://bradhedlund.com/2008/12/19/how-to-calculate-tcp-throughput-for-long-distance-links/

ICT-Support · ‎07-28-2011

Lee,

Thanks for that. I've just tried (from a PC on site B) downloading an 85.7MB file from a server on Site A and get a transfter rate of 185KB/S (according to windows, downloading a file from a webserver).

When I tried this the first time using a windows file copy I was getting 10 mins 59 seconds for complete transfer (of the 85.7MB file).

Does this sound to you reasonable baring in mind the latency and ipsec overhead?

I am going to re-check the duplex settings as you also suggested.

Regards,

Simon.