VPN performance

[jlazzaro]

What is the performance difference between 10 users on a Site-to-Site VPN vs 10 users each running a stand alone client on the same network?

I would think that the Site-to-Site should exponentially faster. Instead of 10 individual tunnels, everyone would be running under a single tunnel. Therefore reducing the overall bandwidth usage...

However in real word scenarios, it's been the complete opposite. Offices setup with Site-to-Site seem to crawl while those where each client connects individually are very peppy.

Could it be fragmentation issues with the large, single tunnel? Or is this just what I can expect from a Site-to-Site?

Any comments appreciated~!

 

[spidey07]

it's fragmentation issues. check MTU on the clients or sniff it (best), some VPN client software automatically adjusts it for performance reasons which is why you are getting these results.

also could be PMTUD problems if you're blocking ICMP.

 

[jlazzaro]

Originally posted by: spidey07
it's fragmentation issues. check MTU on the clients or sniff it (best), some VPN client software automatically adjusts it for performance reasons which is why you are getting these results.

also could be PMTUD problems if you're blocking ICMP.

the site-to-site clients wouldnt be running any software, so it would be whatever their nic is set to. if this is indeed 1500, the encryption header would be putting it over the top...

do you have an mtu size you prefer, or is it case by case? searching around, 1300 seems to be popular. i could try a ping google.com -f and adjust the packet size to find the sweet spot...

 

[spidey07]

I like 1300. You can get multiple tunnel headers depending on what you move through.

How are the clients connecting if they aren't using any VPN client?

 

[jlazzaro]

slowness issue is with the site-to-site, which is a tunnel from a pix 506e to a 3000 concentrator.

the individual pc's at other sites who are running the full client chug right along...