This article will show you how you can increase your speed and boost your internet throughput and VPN throughput using the Web GUI [USG FLEX/ATP/VPN Series]. It shows how traffic statistics, bandwidth management and UTM functions affect the throughput of your device. Furthermore, it shows how to perform iPerf Testing through the VPN tunnel, and using lower encrpytion & authentication, using crypto-boost command & check fragmentation/MSS adjustment to increase VPN throughput.

Firstly, if you have firmware version 5.10, you can look at this article to boost your speed or upgrade to the latest firmware.

Table of Content

1) Troubleshooting & Increase WAN Throughput

1.1 Traffic Statistics

1.2 Bandwidth Management

1.3 UTM Functions (Security Services)

2) Troubleshooting & Increase VPN Throughput

2.1 iPerf Testing through VPN

2.2 Using lower encryption & Authentication

2.3 Using Crypto-Boost command

2.4 Check fragmentation on WAN

2.5 MSS Adjustment

1) Troubleshooting & Increase WAN Throughput

1.1 Traffic Statistics

Go into Traffic Statistics and remove the "Collect statistics from all the UTM services (App Patrol, Content Filter, Anti-Malware, Reputation Filter, IPS, Email Security, SSL Inspection) - remember to hit "Apply" after unchecking the box on each UTM function:

Then go to Monitor -> Traffic Statistics -> Traffic Statistics and untick the "Collect Statistics" box there as well:

Depending on the amount of traffic in the firewall, you should see a slight increase in bandwidth. For our test environment, there is not much traffic and thus, there is not really an increase in throughput.

1.2 Bandwidth Management

You can also disable Bandwidth management which protects the bandwidth of the firewall. Go to Configuration -> BWM and uncheck the "Enable BWM" and click "Apply":

1.3 UTM Functions (Security Services)

If you want more throughput you can sacrifice the Security Services (UTM functions) to gain more throughput. For IDP (IPS), this will increase your overall throughput because it's scanning all incoming and outgoing traffic.

Go to Configuration -> Security Service -> IPS

Uncheck the tick-box and click "Apply":

Disabling the Anti-Malware will increase your download speed as the Anti-malware is scanning all the files you download.

Go to Configuration -> Security Service -> Anti-Malware

Uncheck the tick-box and click "Apply":

Reputation Filter and Email Security

You can also disable Reputation Filter (under Go to Configuration -> Security Service -> Reputation Filter) and Email Security

App Patrol & Content Filter

Because these security services are attached to the firewall rules, there are no "disable button". You need to go into the Security Service Menus and make sure that there are no references to these security services:

If there are references here, it means that it's attached to a firewall rule. Then click and select on the security profile and hit "References":

Click on the Security Policy Control Service #1:

Go to the firewall rules that have the Profiles attached, double click on the rule, deselect the Profiles at the bottom of the window by clicking "none" and then click ok:

By doing that you will now see that the Application Patrol symbol is gone from the Profile on the firewall rule:

2) Troubleshooting & Increase VPN Throughput

This section will show how to improve performance in your site-to-site VPN tunnel (USG FLEX / ATP / VPN Series), using iPerf testing, crypto-boost CLI command, and avoiding MTU fragmentation with lower packet size, as well as MSS adjustment.

The test environment used 2x ATP200 connected in this topology:

Getting a local WAN address from the office firewall. Neither of the firewalls had traffic on it while performing the tests.

Note! The throughput on the datasheet is using industry-standard test measurements, which do the test measures with UDP packets. TCP traffic is more demanding on the firewall, which means that to get a more realistic VPN throughput, you need to look at the asteriks ():
"3: VPN throughput measured based on RFC 2544 (1,424-byte UDP packets)"

*A tip, that we use in the support organization, is to divide the datasheet's throughput by 3 to get a realistic throughput for your firewall

2.1 iPerf Testing through VPN

Download iPerf here: https://iperf.fr/iperf-download.php

Install it, or copy the .exe file into your CMD and run the command after.

You can also follow this article (for wireless connection):

https://support.zyxel.eu/hc/en-us/articles/360017129620-How-to-check-wireless-speed-via-iPerf

You need 2 PCs connected to each site's LAN and they should be able to ping each other.

Disable the Windows firewall if the PC isn't pingable. One PC will act as a "server" and the other one will act as the client. Then you are testing the speed (client) to that server by following the steps below.

2.1.1 Run iPerf on server PC

2.1.1.1 Drag the iperf.exe file to cmd

2.1.1.2 For the server, add "-s" in the command line

So run this command: 
%%Path%% -s

2.1.1.3 Press Enter

Example:

2.1.2 Run iPerf on Client PC

2.2.2.1 Drag the iperf.exe file to cmd

2.2.2.2 Add "iperf -c <server IP> -w4M -l 65535 -P 10

So run this command:

%%Path%% iperf -c 192.168.10.33 -w4M -l 65535 -P 10

2.2.2.3 Press Enter

Example:

Disclaimer! Because this is a test VPN environment through a LAN network, the results will be very similar, if not the same.

2.2 Using lower encryption & Authentication

This is the result of a site-to-site VPN with IKEv2 (aggressive mode) AES128, SHA1 encryption:

This is the result of a site-to-site VPN with IKEv1 (aggressive mode) DES & MD5 encryption:

Sometimes the level of encryption and authentication plays a role in the VPN speed. For example, using AES256 is slower than using 3DES, however, there is less security on using 3DES than AES256.

2.3 Using Crypto-Boost command

In ZLD5.10, we did some enhancements to increase IPSec TCP single session throughput
- Distribute the single VPN session to multiple CPUs instead of a single CPU
- Reorder the packet order

This enhancement is disabled by default.

The reason we disable by default: We need more time to clarify whether the VPN session distribution over multiple cores causes any effects to other our critical process running or not. If not, we may enable it on the next FW version.

As the enhancement is still under evaluation, we don't make official testing yet.

How to enable/disable the enhancement:

To enable the enhancement by CLI command, use:

Router(config)# crypto boost-tcp

To disable the enhancement by CLI command use:

Router(config)#no crypto boost-tcp

Here you find how you can make the local test to verify:

Topology:

PC1 -- (LAN) ATP800-A (WAN) ----- IPSec VPN ----- (WAN) ATP800-B (LAN) -- PC2

Test Software: Iperf3

Test Client/Server OS: Windows

Here you will see the differences of IPsec TCP single session throughput:

Running the crypto-boost command using the above steps, the results after running the crypto-boost command:

Router(config)# crypto boost-tcp

2.4 Check fragmentation on WAN

2.4.1 Use Web GUI.

Navigate to Diagnostic -> Network Tool and ping 8.8.8.8 using the correct WAN interface (in this case wan). Then type in extension option -M do -s 1500.

First ping with a packet size of 1500 (-M do -s 1500), then 1492. Then go down with a value of 10, until you find the "(truncated)" packet. Then you go up by 2 until you have a fragmented packet again. The value before is the sweet spot. When you have a truncated packet it means that the packet doesn't need to be fragmented and therefore can be sent with the optimal MTU.

In this example above, the sweet spot for us is 1472 as 1472 is not fragmented but 1474 is.

2.4.2 Use CMD

use this command:

ping www.google.com -f -l 1500

Start with packet size 1500 and go down to 1492, then decrease by a value of 10 (1482 -> 1472 -> 1462 etc.), until you don't have a fragmented packet anymore and ping is responding. Then you increase the value by 2 until you find the "sweet spot" where the packets aren't fragmented anymore.

In this case, we should set the value to 1342 + 28 = 1370.

becaue

MTU = MSS (1342 bytes in this example) + IP header (20 bytes) + ICMP header (8 bytes)

After adjusting the MTU size on the WAN connection:

2.5 MSS Adjustment

Otherwise you can try to manually set the MSS adjustment. This is a trial and error, do the test first with 1400, then 1300. If you get an improvement in setting a custom size of any of these, try the following below:

Example 1: Do you get better throughput using 1300? Try 1340, better than 1300? Use 1340.
Example 2: Do you get better throughput using 1400? Try 1360. Better than 1400? If not, use 1400

You can also calculate MSS using the ping test from step 4:

If you are further interested and want to know more about how to calculate the packet sizes for VPN you can take a look at this article that inspired some of the content in this article:

https://muzso.hu/2009/05/17/how-to-determine-the-proper-mtu-size-with-icmp-pings

Firewall - Increasing Throughput / Speed Boost for WAN and VPN

Table of Content