09-06-2016 08:56 AM - edited 03-08-2019 07:18 AM
A number of Meraki users are complaining about their "speed". Users always gripe about something but at least one or two seem to have legitimate complaints. One user reports about 178/11 Mbps when he plugs directly into the cable modem/router. When using the Meraki, he reports 16/4 Mbps. These tests were done using the DSL Reports speedtest (http://www.dslreports.com/speedtest?httpsok=0). The Meraki dashboard reports 15.6 Mbps throughput which is consistent with the speed test.
There are no per-client limits on throughput.
I know that things like encryption overhead, fragmentation and the quality of consumer grade connections will affect the throughput but it seems to me that a 90% reduction is a bit much.
Would it help to reduce the MSS to keep the overall packet size below 1500 octets? 1328 looks good with AES.
Any hints about how to improve the performance or even if it possible are appreciated.
09-06-2016 10:18 AM
Disclaimer
The Author of this posting offers the information contained within this posting without consideration and with the reader's understanding that there's no implied or expressed suitability or fitness for any purpose. Information provided is for informational purposes only and should not be construed as rendering professional advice of any kind. Usage of this posting's information is solely at reader's own risk.
Liability Disclaimer
In no event shall Author be liable for any damages wha2tsoever (including, without limitation, damages for loss of use, data or profit) arising out of the use or inability to use the posting's information even if Author has been advised of the possibility of such damage.
Posting
I'm unfamiliar with Meraki, but generally fragmentation is to be avoided as it often very much impacts performance.
ADSL links I believe generally use PPPoE which generates 8 bytes of overhead.
Encryption usually adds 60 to 80 bytes of overhead. Normally you're "safe" if you set MSS to 100 bytes less than MTU, which if using PPPoE should be set for 1492.
09-07-2016 09:09 AM
Here is how my thinking is going regarding the 1328 octet MSS.
TCP/IP overhead = 40 B
Total IPSEC Overhead = 84 B:
MD5/SHA1 Message Size overhead = 8 B
Sub Total Overhead = 132 B
HMAC Padding identifier = 1 bit (more on that below)
MD5/SHA1 blocksize is 64 B
AES Blocksize 16 B
If the MTU is 1500 octets then the remaining space for data is no more than 1500 - 132 = 1368.
HMAC Blocks
1368/64 = 21.375. Rounding down, 21*64 = 1344 B
AES Blocks
1368/16 = 85.5. 85*16 = 1360
1344/16 = 84 but that extra HMAC bit above effectively reduces that to 83 blocks so the maximum MSS becomes 83 * 16 = 1328
So
for 1328
AES padding = 0 B
SHA1 message length = 8 B
SHA1 padding = 8 B
IPSEC headers = 84 B
TCP/IP Headers = 40 B
Total MTU = 1468
For 1344
AES padding = 0 B
SHA1 Message Length = 8 B
SHA1 padding = 64 B
IPSEC headers = 84 B
TCP/IP headers = 40 B
Total MTU = 1540
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide