Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10964
Views
5
Helpful
5
Replies

VPN increases latency - workaround - vpn tunnel - different ISP adds milliseconds

Go to solution
Ranbeckycr_2
Level 1
Level 1

‎10-06-2011 02:57 PM

Experts,

I ran into a very interesting issue.  I am connecting 3 offices via point to point wireless antena.  There is a main central location and 2 remote offices.

Previously all location were running under the same wireless antenna point to point provider.  Each Antenna runs 10Mbps.

Central location Antenna1-------------------------------------remote peer 1  (vpn and latency works perfect)

Central location Antenna 2-------------------------------------remote peer 2  (vpn increases latency but ip to ip works fine).

For the central location 2 these are the tests that I ran

Central Location Antena 2

Router inside: 10.10.10.1

Router outside:  200.1.1.1

Remote peer 2:

Router inside: 10.9.9.1

Router outside:  195.2.2.2

Success rate is 100 percent (5/5), round-trip min/avg/max = 432/553/656 ms  (This is when I ping via VPN from 10.10.10.1 to 10.9.9.1)

Success rate is 100 percent (5/5), round-trip min/avg/max = 12/18/28 ms (this is when I ping 200.1.1.1 to 195.2.2.2.2  regular internet)

What could cause this huge delay?  I have tested various routers on Antenna2 and it is the same result.  Delay only happens when I add VPN.

THank you for any light.......

Randall

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Kishore Chennupati
Level 7
Level 7
In response to Ranbeckycr_2

‎11-02-2011 08:42 PM

Hi Randal

Definetly, There is a work around. It is by lowering the  ip mtu  before its hits the tunnel. The way to counter this is to set the ip mtu on the tunnel interface to  1400bytes(if you using GRE Tunnel with IPsec)you can lower it more as well.if  you want as well.you can combine it with the ip tcp adjust-mss". Essentially , we dont let the packet size get any bigger than 1500bytes altogether so that hops in between dont have to do fragmenatation. The delay is caused by fragmentation in between

The below link should guide you in the right direction.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

HTH

Kishore

View solution in original post

5 Replies 5

Go to solution
Ranbeckycr_2
Level 1
Level 1

‎11-02-2011 06:21 PM

Experts...any ideas :-(

0 Helpful

Go to solution
Kishore Chennupati
Level 7
Level 7
In response to Ranbeckycr_2

‎11-02-2011 08:31 PM

Hi Randall,

When you VPN's like IPsec , GRE over IPsec etc they induce heavy overhead and require fragmentation along the path

For example

GRE ip  mtu which is 1476bytes and IPsec adds another 58-74 bytes depending on  the encryptino you use. So the total packet size would become more like closely 1600bytes. So, they nede to be fragmented and hence they induce the additional latency. When you ping your ISP those packets are not encapsulated and do not contain any overhead so you get less latency.

Does this help? please let me know if you want more info

Happy to help

Regards

Kishore

0 Helpful

Go to solution
Ranbeckycr_2
Level 1
Level 1
In response to Kishore Chennupati

‎11-02-2011 08:35 PM

Kishore,

Good evening!

Appreciate the info.  Is there a workaround you suggest?

Oddly enough it does not happen with my other provider.

I own both ends of the tunnel so I can manipulate the router with any tweaks you suggest.

Thanks a bunch!

0 Helpful

Go to solution
Kishore Chennupati
Level 7
Level 7
In response to Ranbeckycr_2

‎11-02-2011 08:42 PM

Hi Randal

Definetly, There is a work around. It is by lowering the  ip mtu  before its hits the tunnel. The way to counter this is to set the ip mtu on the tunnel interface to  1400bytes(if you using GRE Tunnel with IPsec)you can lower it more as well.if  you want as well.you can combine it with the ip tcp adjust-mss". Essentially , we dont let the packet size get any bigger than 1500bytes altogether so that hops in between dont have to do fragmenatation. The delay is caused by fragmentation in between

The below link should guide you in the right direction.

http://www.cisco.com/en/US/tech/tk827/tk369/technologies_white_paper09186a00800d6979.shtml

HTH

Kishore

Go to solution
Ranbeckycr_2
Level 1
Level 1
In response to Kishore Chennupati

‎11-02-2011 08:55 PM

You da man!!!

0 Helpful
Customers Also Viewed These Support Documents