Site-To-Site VPN Slow

Unanswered Question


I have a site-to-site VPN configured between my office in Canada and Chile. Here's the specs:


Internet: 2Mpbs (burst to 10)

Firewall/VPN: PIX 506


Internet: 2Mbps

Firewall/VPN: PIX 501

Only about three people there

OK, here's the thing: I have connectivity, but I want my Chilean people to be able to open Office documents on the Canada server. I don't want to have to have a server in Chile (too much support). Documents are getting duplicated and it's a pain for version control. However, because the link is so slow, we have to do this.

What I can't understand is why the link is so slow. We have fairly fat Internet links with no problems at the SP end (in fact, we're on our second SP in Chile, but it's still slow).

Any ideas on what I can do to troubleshoot?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
eddie.mitchell@... Fri, 02/06/2009 - 14:28

Have you tried performing some basic network traces between the two sites? There may be one or more hops in the network path that are introducing increased levels of latency.

Ivan Martinon Fri, 02/06/2009 - 14:34

Hi Dave, the first thing to understand here is that the fact that both of your firewalls have a 2MB internet connection does not determine the speed of the path, since after your pix passes this information to your ISP there are several ways to get to your other PIX, first you would need to test your peer to peer connection, so I would go ahead and ping the public address of one pix to the public address of your other pix, then get the average transfer rate in miliseconds, now you remember hat this is plain text traffic, so you would need to reduce some miliseconds that is what the encryption/decryption process take.

One thing to look at too is that in most of the cases the problem is not really the path but the application type mainly Windows applications, these applications use a big packet size, which if not treated correctly causes packets to be retransmitted. What I would advise to do is to go ahaed and enable this command on both firewalls "sysopt connection tcpmss 1300"

You do not have to worry about any affection to your applications when applying this command, what this one does is that it intercepts the Syn packet from TCP speakers and change the MSS value from 1460 (default) and forces it to be 1300 so both tcp speakers will agree on having a Maximum Segment Size of 1300 which will cause the packets to be smaller hence preventing fragmentation issues.


Thanks for your input. I do understand the points you're referring to (packet sizes of applications, added overhead associated with encryption, etc.).

Thanks for the sysopt command. I had heard about that one, but forgot about it. I added it, but it didn't change much.

What I don't really get here is that I'm seeing the connectivity stay to about 30-36 ms in North America, but when it leaves NA and hits Chile, I see a sharp increase to about 200-220 ms.

While that's high, it's not like it's crazy high. I need to understand why performance is so bad. I don't think it's firewall related, but I can't be sure.

My plan is to remove the Chilean server from behind the firewall and see if performance increases.

I'd appreciate any thoughts or input on figuring this one out.




This Discussion