Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Site to Site VPN - expected performance?

We have two office locations, with AT&T 1 Gb Fiber at both locations. We also have NSa 2650s at both locations connected via Main Mode VPN with AES-128 encryption. Speed tests indicate full symmetrical performance at both locations going out to each location's WAN. However, when using SMB to connect from a single Windows workstation at the remote office's location to main office's NAS, performance is around 250-300 Mbps with no other traffic. Is 25-30% of wire speed expected performance for this setup? If not, what are the key settings to increase performance? Thank you!

Category: Mid Range Firewalls
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    SMB is notoriously poor as a protocol for testing. Use something like iperf.

    Also note from Sonicwalls spec sheet: "VPN throughput measured using UDP traffic at 1280 byte packet size adhering to RFC 2544."

  • Thanks for your reply. Here is the iPerf results. Seems to be worse.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    I know spec sheets should be taken with a pinch of salt but 2650 is specced for 1.3Gbps of VPN throughput so 300Mbps is way low. Also, it should be great out of the box, no particular tweaking required.

    What is internet performance like?

    Check the system monitor, what are CPU and WAN interfaces doing when you are testing? It is definitely not normal for SMB performance to be better than iperf.

  • Internet is great at both sites. No complaints from staff:

    Don't have App Visualization license and using SonicOS 6.5.4 but Live Monitor shows CPU going from 0% to 2% and about 100 new connections during iPerf.

    I am currently not onsite at either location so doing these tests remotely while offices are closed. I am closer to the main office (HQ in CA) where NAS is located.

    Thank you for any hints at what this might be if it is indeed not normal.

  • ChojinChojin Enthusiast ✭✭

    Beside the VPN you should also keep the latency in mind. higher latency might affect throughput-speed

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    IME iperf performance will always equal or exceed speedtest.net. If you are getting those figures with speedtet.net then that means you're probably not maxing out your links with other traffic, so you should be able get that with iperf as well. I am out of ideas, unfortunately.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited September 11

    We can't see what your client command is and running iperf with the defaults isn't representative of 'normal' traffic from my experience.

    Latency DEFINITELY affects perceived throughput. 100Mbps with 100ms latency is completely different than 100Mbps with 5ms latency.

    To emulate the test that Sonicwall performs you'd have to run the iperf client with something like "-u -l 1K".

    Remember they are testing in a lab environment and not in the real world over multiple ISP cross connects.

    Throughput testing is complex. Unfortunately speed test sites make people think its easy.

  • What are your tunnel encryption settings?

    You can try lowering it a bit and test again.

  • @Arkwright yes, basic SpeedTest.net tests. For all testing I am doing it far afterhours for both offices so I am likely the only bandwidth user (remote control into the pair of workstations). Thanks for your help so far. I'm surprised at the iPerf results too. Something I'm missing here.

    @TKWITS iPerf3 was run as default. I can run UDP test with your command tonight. Latency of 75ms is high but should I expect this tunnel to perform 1/4th of wirespeed? I know ISPs are caching for most online downloads but this would mean either the Sonicwall is underperforming or I'm being seriously misled by AT&T as to speeds. Is there an independent speed test I can take to verify this?

    Sorry more questions. But so far aside from my original question of "should these Sonicwalls be able to do better with this bandwidth?" now the secondary question is "why is iPerf performing much poorer than a simple SMB copy?" Let me know if you need any more info as I'd love to answer these questions but if you think my speeds are expected for SMB then thanks for your help so far. Also note that both offices are on the same provider (AT&T) and same service (1 Gb Fiber) so there should not be any additional providers involved. I'll do a tracert tonight to confirm hops.

    @JackBurton Current encryption is AES128. I went down to 3DES during testing with no change. I will try DES tonight to see if that makes a difference.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited September 12

    I will answer some questions but you do need to do your own research.

    should I expect this tunnel to perform 1/4th of wirespeed?: Between encryption and overhead, I pretty much always expect 1/4 to 3/4 of line speed when utilizing a VPN tunnel depending on the underlying protocol. Remember, any traffic going over the tunnel is encrypted and wrapped in a UDP packet and sent to the remote gateway out over the internet.

    Is there an independent speed test I can take to verify this?: Not really as ISPs are really just providing you a connection to THEIR network at the advertised line speed. There are so many other factors involved when connecting to the greater public internet from their network. I usually use librespeed.org or testmy.net for more 'realistic' internet speed testing.

    why is iPerf performing much poorer than a simple SMB copy?: iPerf is a very powerful and customizable tool, and like I previously stated iPerf run with defaults doesnt represent 'normal' traffic well. You really have to understand the IP stack well and related topics such as packet size, buffering, windowing, and ultimately how to mimic a common protocol (e.g. SMB/Samba, iSCSI, VoIP) with iPerf. There are pay tools out there that will mimic these protocols for you, but not everyone has multi-thousands of dollars to pay for them.

    A related read if you want to get into the nitty gritty of modern SMB:

    https://community.spiceworks.com/t/the-windows-horror-story-season-002-smb-large-mtu/821265

    A side note, DES and 3DES are known to be vulnerable to cracking so please do not ever recommend or use them. Older devices used to really choke on AES encryption but those days are past. Also sanitize your screenshots, your public IPs are visible.

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    Try iperf2 instead of iperf3 and you might see better results, as iperf3 is single-threaded so you might be hitting your CPU cap before network limits.

  • Some news with further testing. Running iperf in UDP mode with @TKWITS command yielded same results. Same results with lower encryption suggested by @JackBurton. Traceroute between WANs indicates traffic never leaves ISP between sites but lots of latency. Got me thinking so I setup a iperf port forward to test over WAN without VPN and…same result! So am in process of troubleshooting the connection with AT&T. Will post back when this is complete.

    @TKWITS thanks for your reply. I'm in the process of researching all this but it seems to point out that it will be costly since it will likely come down to using a WAN accelerator for SMB. Also, oops on that screenshot. Any way to edit posts or do I need to get a moderator involved?

    @SonicAdmin80 Good to know thanks. I'll try that.

Sign In or Register to comment.