Branch office - Slow WAN

Unanswered Question
Oct 11th, 2009

I am some consultancy work for a charity organization. They currently share our data center where 2 citrix server are located. They have around 15 branch offices that connect to the data center via VPN tunnels. All branch offices use either Cisco 831 or 1801 routers. Each branch office has a 512 or 2MB ADSL connection.

Branch offices are reporting slow response for their citrix apps.

My recommendation would be that they move to private network and not use VPN tunnels and also upgrade ADSL links to SHDSL, however being a charity cost is very hard to justify.

Also I thought about implementing QoS over the VPN, but not sure how effective this would be.

Can anyone give me some advice thoughts\ based on the above?

Thanks in advance

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3.5 (4 ratings)
Loading.
Ian Cowley Sun, 10/11/2009 - 13:05

Andy

Probably need a bit more info.

Where are you Oz?

What's the bandwidth available at HQ?

Whats the VPN terminating on?

How many Citrix sessions are running at the BOs?

Have the Citrix servers been optimised.

Use 100kbits/s as a starting point for bandwidth per session. Citrix boys will yell, but its a good start.

IanC

andypearce33 Sun, 10/11/2009 - 13:43

Hi Ian, thanks for your reply....

Where are you Oz?

Sydney

What's the bandwidth available at HQ?

2mb SHDLS link to Datacenter

Whats the VPN terminating on?

They share our firewall at the datacenter. cisco pix. I would like to move them off our firewall and on their own.

How many Citrix sessions are running at the BOs?

Max 10 to 15 per site. (15BO's in total)

Have the Citrix servers been optimised.

Citrix have been optimised for performance for Applications.

Use 100kbits/s as a starting point for bandwidth per session. Citrix boys will yell, but its a good

Citrix have advised we look at citrix branch repeaters. However I am not sure the how much this will benifit.

Joseph W. Doherty Sun, 10/11/2009 - 18:06

"Also I thought about implementing QoS over the VPN, but not sure how effective this would be. "

QoS can be very effective, and also not. Depends whether there's sufficent bandwidth to support your Citrix application traffic and it's just a question of some other traffic, which shares the path, that adversely impacts Citrix.

With VPN across the Internet, one key part of doing QoS is not sharing any Internet bandwidth that's not under the control of QoS. For instance, if you strictly use an Internet connection for a VPN, we "know" the bandwidth going to the branch and can manage it at the HQ side. However, if the same branch Internet link is also used for "raw" Internet access in addition to the VPN, we never know what the Internet ingress (to the site) bandwidth usage might be. (Internet egress [to the Internet] bandwidth, can often be shared.)

PS:

If a branch does have a need for both the VPN and "raw" Internet access, you can either provide the Intenet access via the HQ site or run a 2nd Internet connection at the branch. (If two links are used, either can provide redundancy for the other, although QoS guarantees will be lost when running during a link failure. However, poor performing network access is often better than no access, at least until the broken link is fixed.)

andypearce33 Sun, 10/11/2009 - 22:43

Thanks for you reply's I have spent the afternoon checking the bandwidth utilization. I can see some sites spike in utilization in bw throughout the day, reaching almost 80% to 100% in some cases.

In the previous post it was mention 100kbps per citrix session. If that is the case I can see why we may see performance problems. Citrix say 20 to 30 is this too liberal?

Joseph W. Doherty Mon, 10/12/2009 - 04:46

If there's only Citrix traffic and you see 80 to 100% utilization, you might have insufficient bandwidth. However, FQ for such Citrix traffic might be perceived by users as slightly better. Also, Citrix supports disk-to-disk and printing traffic along with its remote desktop. The former Citrix traffic types can adversely impact the latter. In the later Citrix protocol, Citrix marks these traffic types differently so they can be treated differently. If there is such a mix of Citrix traffic, using the Citrix traffic tags can make a difference. (NB: The later NBAR version can "see" this marking.)

andypearce33 Sun, 10/11/2009 - 23:59

Hi Josepth, if we implement QoS across our VPN tunnel, does our ISP need to read the tagged packets?

Joseph W. Doherty Mon, 10/12/2009 - 04:40

"if we implement QoS across our VPN tunnel, does our ISP need to read the tagged packets?"

No, because there's no need, or much use, to tag the packets. Generally the Internet isn't going to honor any ToS markings. However, what we want QoS to manage are congestion points and these are most often the links to/from the Internet. (The Internet itself often has ample bandwidth, although some ISPs do not.)

Usually we can QoS manage traffic leaving our site but the the other issue is traffic entering our site. Again, though, if we can restrict traffic entering our site to just traffic leaving another site (e.g. VPN), we can usually provide QoS management.

In other words, if we can treat the VPN like a logical p-t-p link, how we QoS admit traffic entering the path is how it will exit the path.

andypearce33 Tue, 10/13/2009 - 01:52

Thanks Joseph.. the only traffic that passes through the vpn tunnel is citrix so I do not need I don't think QoS will help much here. The problem is they share internet does not go through the tunnel.

Joseph W. Doherty Tue, 10/13/2009 - 04:01

Sharing the Internet link is a likey culprit. Again, if this is the issue, two possible solutions, access Internet via the VPN or put in another inexpensive ISP connection (one for VPN one for "raw" Internet).

Actions

This Discussion