OT: Site to site IPSEC VPN speed question

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

OT: Site to site IPSEC VPN speed question

mdquerng
Hi all

Short question: Can anyone tell me if a site to site VPN tunnel (IPSEC in this case) is limited in both the upstream and downstream bandwidth by the slowest bandwidth (usually upstream) of the slowest endpoint.


Much longer explanation: I have a customer in Chattanooga that has EPB's 100 Professional service (100 down/100 up, SLA, etc.). They have a branch office that has Comcast Business (asymmetric) service and another one that has Charter Business (asymmetric) service (I know). I have created site to site static VPN connections from the branch offices to the Chattanooga office using Cisco ASA-5505 devices at each location.

The bandwidth requirements over the VPN are extreme for this particular client. Basic internet speed testing from all the branches establishes the following rough internet connection speeds:

Chattanooga office: (EPB speed test) 94 down/85 up
Branch office 1: (Comcast Business speed test) 91 down/11 up
Branch office 2: (Charter Business speed test) 83 down/7 up

When I do an iperf speed test across the VPN tunnel where the Chattanooga office is the iperf server and each branch office is the client, I get the following results:

Branch office 1: (iperf to Chattanooga) 10 down/10 up
Branch office 2: (iperf to Chattanooga) 6 down/6 up

I have never really thought about this before since my client's VPN speed requirements have been very modest to this point. It appears that the speeds I'm measuring over the tunnel with iperf at each branch office almost exactly match the limited upload bandwidth at the respective branch. This leads me to believe that IPSEC VPN tunnel bandwidth must need to be symmetric.

I understand that IPSEC will certainly require some overhead on the bandwidth available and I've also looked into tweaking TCP MTU/MSS settings, possible interface issues, etc. However, it seems very odd to me that the up and down bandwidth through the VPN tunnel at each branch almost exactly matches the maximum available upload bandwidth of that branch's ISP. I've gone so far as to test this theory with another client that has fast symmetric bandwidth at their main office and slower asymmetric bandwidth at their branch office and I get identical results.

Before I move forward with further troubleshooting, opening a TAC case, investigating other/better ISP options, I thought I'd ask the Chugalug collective brain on this one. Thoughts?


Best
Mark

Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] OT: Site to site IPSEC VPN speed question

Stephen Haywood
The VPN is going to move at the rate of the slowest link, which is the upload rate of the asymmetric circuit. 

On Tuesday, November 10, 2015, mdquerng <[hidden email]> wrote:
Hi all

Short question: Can anyone tell me if a site to site VPN tunnel (IPSEC in
this case) is limited in both the upstream and downstream bandwidth by the
slowest bandwidth (usually upstream) of the slowest endpoint.


Much longer explanation: I have a customer in Chattanooga that has EPB's 100
Professional service (100 down/100 up, SLA, etc.). They have a branch office
that has Comcast Business (asymmetric) service and another one that has
Charter Business (asymmetric) service (I know). I have created site to site
static VPN connections from the branch offices to the Chattanooga office
using Cisco ASA-5505 devices at each location.

The bandwidth requirements over the VPN are extreme for this particular
client. Basic internet speed testing from all the branches establishes the
following rough internet connection speeds:

Chattanooga office: (EPB speed test) 94 down/85 up
Branch office 1: (Comcast Business speed test) 91 down/11 up
Branch office 2: (Charter Business speed test) 83 down/7 up

When I do an iperf speed test across the VPN tunnel where the Chattanooga
office is the iperf server and each branch office is the client, I get the
following results:

Branch office 1: (iperf to Chattanooga) 10 down/10 up
Branch office 2: (iperf to Chattanooga) 6 down/6 up

I have never really thought about this before since my client's VPN speed
requirements have been very modest to this point. It appears that the speeds
I'm measuring over the tunnel with iperf at each branch office almost
exactly match the limited upload bandwidth at the respective branch. This
leads me to believe that IPSEC VPN tunnel bandwidth must need to be
symmetric.

I understand that IPSEC will certainly require some overhead on the
bandwidth available and I've also looked into tweaking TCP MTU/MSS settings,
possible interface issues, etc. However, it seems very odd to me that the up
and down bandwidth through the VPN tunnel at each branch almost exactly
matches the maximum available upload bandwidth of that branch's ISP. I've
gone so far as to test this theory with another client that has fast
symmetric bandwidth at their main office and slower asymmetric bandwidth at
their branch office and I get identical results.

Before I move forward with further troubleshooting, opening a TAC case,
investigating other/better ISP options, I thought I'd ask the Chugalug
collective brain on this one. Thoughts?


Best
Mark





--
View this message in context: http://chugalug.1100489.n5.nabble.com/OT-Site-to-site-IPSEC-VPN-speed-question-tp8748.html
Sent from the Chugalug mailing list archive at Nabble.com.
_______________________________________________
Chugalug mailing list
<a href="javascript:;" onclick="_e(event, &#39;cvml&#39;, &#39;Chugalug@chugalug.org&#39;)">Chugalug@...
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug


--
--
Stephen Haywood
Owner, ASG Consulting
CISSP, OSCP
423.305.3700


_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] OT: Site to site IPSEC VPN speed question

mdquerng
Thanks Steven for confirming what more and more results were starting to point to.

That being said. Anyone have any suggestions with respect to vendors that can supply a symmetric 50/50 pipe in Fort Oglethorpe, GA and Cleveland, TN (don't need to be the same vendor).


Best
Mark
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] OT: Site to site IPSEC VPN speed question

David White-2
I know someone who runs a data center in Cleveland who I think has a 100mb connection. I'll reach out to him.

On Wed, Nov 11, 2015 at 1:32 PM, mdquerng <[hidden email]> wrote:
Thanks Steven for confirming what more and more results were starting to
point to.

That being said. Anyone have any suggestions with respect to vendors that
can supply a symmetric 50/50 pipe in Fort Oglethorpe, GA and Cleveland, TN
(don't need to be the same vendor).


Best
Mark




--
View this message in context: http://chugalug.1100489.n5.nabble.com/OT-Site-to-site-IPSEC-VPN-speed-question-tp8748p8750.html
Sent from the Chugalug mailing list archive at Nabble.com.
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug



--
David White
Founder & CEO

Develop CENTS 
Computing, Equipping, Networking, Training & Supporting 
Organizations Worldwide

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] OT: Site to site IPSEC VPN speed question

Mike Harrison-4
In reply to this post by mdquerng

> On Nov 11, 2015, at 1:32 PM, mdquerng <[hidden email]> wrote:
>
> Thanks Steven for confirming what more and more results were starting to
> point to.
>
> That being said. Anyone have any suggestions with respect to vendors that
> can supply a symmetric 50/50 pipe in Fort Oglethorpe, GA and Cleveland, TN
> (don't need to be the same vendor).


Something tells me ya’ll need better application design/coding. That’s a bunch of bandwidth for most things .

_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: [Chugalug] OT: Site to site IPSEC VPN speed question

Dan Lyke
On Wed, Nov 11, 2015 at 10:50 AM, Mike Harrison <[hidden email]> wrote:
> Something tells me ya’ll need better application design/coding. That’s a
> bunch of bandwidth for most things .

Also, if the VPN really is requiring a symmetric connection (and it's
not just that you're saturating your upstream so that the ACKs are
having to wait to go through), then moving some of that traffic to SSH
or another secure protocol that doesn't require symmetry seems like a
good idea.

Think holistically...

Dan
_______________________________________________
Chugalug mailing list
[hidden email]
http://chugalug.org/cgi-bin/mailman/listinfo/chugalug
Reply | Threaded
Open this post in threaded view
|

Re: OT: Site to site IPSEC VPN speed question

Jaysan_9
This post has NOT been accepted by the mailing list yet.
In reply to this post by mdquerng
When you buy VPN service always make sure that they provide access to networks from various countries. I think ExpressVPN is the best vpn 2017 and it is popular all around the world. They have 145+ VPN servers in 90+ countries.