Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
630
Views
0
Helpful
1
Replies

RDP over Site-to-Site VPN Performance

bubarooni
Level 1
Level 1

‎07-28-2010 07:28 AM

Hi,

I have a PIX 506e and an 1841 that I have used to establish a site-to-site vpn.  Servers are located behind the PIX that the users behind the 1841 access through a Win2k3 Terminal server which is also behind the PIX.  I have about 14 users at the remote site where the 1841 is located.

The PIX has a cable modem and is rated at 8x2 mb's.  The 1841 has 2 bonded T1's.

A tracert from the central site to the remote site is about 13 hops.

My users at the remote location where the 1841 is located complain about sluggish performance.  And they complain all the time...

Pinging from my central location (where all servers are located) to the remote location I came up with a MTU of 1272 using the ping command:

ping 192.168.9.29 -f -l 1272

and from the remote location to a server at the central location I got a MTU value of 1414 using the same procedure.

So the smallest value I found that works is 1272.  Should I set that as the value on the PIX and Router I'm using or should I use 1300 which I keep seeing as I google this issue.

Also, if I'm setting the MTU on the network devices, does that mean I don't have to set it on the Terminal Server or the clients?

Anyway, I'm hoping someone on this board will have ran across the same issue of sluggish performance of RDP over a VPN and know a magical way for me to fix or at least help it perform better.

Thanks In Advance!

Labels:
0 Helpful
1 Reply 1

Todd Pula
Level 7
Level 7

‎07-28-2010 09:24 AM

For TCP traffic, we typically modify the MSS value in order to minize problems that can arrise from fragmentation.  This value is negotiated during the SYN and SYN ACK exchange and identifies the largest segment size that the hosts can support.  A Cisco router or PIX/ASA sitting in the path can influence this value up or down.  On PIX 6.3 code, the command is enabled globally using "sysopt connection tcpmss [# bytes]".  On an IOS router, this command is more commonly configured on the LAN facing interface using the "ip tcp adjust-mss [# bytes]" command.  You can use the MTU value that you have gleaned from your ICMP tests as a baseline.  You will need to ensure that you are leaving enough overhead for IPSec.

0 Helpful
Customers Also Viewed These Support Documents