VPN Bottleneck

[Henry Stock]

We have been experiencing very slow file transfers over our WAN link to our
colocation center. Transfer rates on average have been about one third of
the actual line speed. Doing some experiements using our ftp server we now
believe the bottleneck is our VPN link. We did similar file transfers using
our external IP port for the ftp server and across the VPN link. The VPN
was much slower.

That leads me to the question what can I do to improve performance? Our VPN
servers are older boxes, certainly not the most powerful boxes in our
network. We could upgrade them... I am not sure how much faster CPU's and
more memory help. I was wondering what we might use in the way of hardware
to perhaps speed up the encryption and decryption without replacing the
servers.

I thought about the possibility of using secure NICs between the two
locations, but I am not sure what effect that would have on persons using
the normal VPN clients trying to get in from outside.

I would like to hear opinions from those more knowledgable than myself..

--

 

[Guest]

Henry,

We are also experiencing VPN-related performance problems, but this is related to RDP (terminal server) sessions, as opposed to file xfers. We've actually located the bottleneck in our own environment, and are currently working with both IBM and MS-PSS on resolution. We are unsure at this point if our problem (latency on the remote VPN server's inside network card) is a hardware or OS related problem.

Your PC servers may or may not be the source of your bottleneck. If you suspect the PC's are at fault, try running Performance Monitor, and check the CPU utilitization % time, and, among other counters, available physical memory, and don't forget to check your network interface and RAS port counters. If you CPU % utilization is not too high, then you may want to look at something other than the processor as the potential for problems.

These tests should give you a better idea of where the problem is occuring. Also, what type of VPN do you have? Is it site-to-site, for example, linking a corporate office to a branch office, or is it a client-to-site, where, for example, telecommuters dial in? Or are you like us, and have both a site-to-site VPN, as well as a few client-to-site connections? Is your VPN running the PPTP or L2TP protocol? PPTP, which is older, may give you a little better overall performance due to its inclusion of compression, which is certainly needed, given the fact that the encryption that is inherent to PPTP will place an addt'l load on your VPN links.

Other important questions include, what type of Internet access do you have at your corporate site? Are you running frame relay, fiber, cable, DSL, etc? What speed is you main link, is it 128k. 256k, 1.54Mb (T1) or better? Also, who is your ISP?
As you can see, there are really a lot of variables to consider in regards to VPN performance. How many VPN sessions do you have active during peak times? What are the size of the files being transferred, and what is the estimated volume of file transfer traffic on a busy day? Please feel free to reply to the group, as I'd like to get some more info about your environement before making any recommendations. Good luck, and I'll be checking this forum again periodically for replies.