This article will show you how you can increase your speed and boost your internet throughput and VPN throughput using the Web GUI [USG FLEX/ATP/VPN Series]. It shows how traffic statistics, bandwidth management and UTM functions affect the throughput of your device. Furthermore, it shows how to perform iPerf Testing through the VPN tunnel, and using lower encrpytion & authentication, using crypto-boost command & check fragmentation/MSS adjustment to increase VPN throughput.
Firstly, if you have firmware version 5.10, you can look at this article to boost your speed or upgrade to the latest firmware.
Table of Content
1) Troubleshooting & Increase WAN Throughput
1.1 Traffic Statistics
1.2 Bandwidth Management
1.3 UTM Functions (Security Services)
2) Troubleshooting & Increase VPN Throughput
2.1 iPerf Testing through VPN
2.2 Using lower encryption & Authentication
2.3 Using Crypto-Boost command
2.4 Check fragmentation on WAN
2.5 MSS Adjustment
1) Troubleshooting & Increase WAN Throughput
1.1 Traffic Statistics
Go into Traffic Statistics and remove the "Collect statistics from all the UTM services (App Patrol, Content Filter, Anti-Malware, Reputation Filter, IPS, Email Security, SSL Inspection) - remember to hit "Apply" after unchecking the box on each UTM function:
Then go to Monitor -> Traffic Statistics -> Traffic Statistics and untick the "Collect Statistics" box there as well:
Depending on the amount of traffic in the firewall, you should see a slight increase in bandwidth. For our test environment, there is not much traffic and thus, there is not really an increase in throughput.
1.2 Bandwidth Management
You can also disable Bandwidth management which protects the bandwidth of the firewall. Go to Configuration -> BWM and uncheck the "Enable BWM" and click "Apply":
Depending on the amount of traffic in the firewall, you should see a slight increase in bandwidth. For our test environment, there is not much traffic and thus, there is not really an increase in throughput.
1.3 UTM Functions (Security Services)
If you want more throughput you can sacrifice the Security Services (UTM functions) to gain more throughput. For IDP (IPS), this will increase your overall throughput because it's scanning all incoming and outgoing traffic.
Go to Configuration -> Security Service -> IPS
Uncheck the tick-box and click "Apply":
Disabling the Anti-Malware will increase your download speed as the Anti-malware is scanning all the files you download.
Go to Configuration -> Security Service -> Anti-Malware
Uncheck the tick-box and click "Apply":
Reputation Filter and Email Security
You can also disable Reputation Filter (under Go to Configuration -> Security Service -> Reputation Filter) and Email Security
App Patrol & Content Filter
Because these security services are attached to the firewall rules, there are no "disable button". You need to go into the Security Service Menus and make sure that there are no references to these security services:
If there are references here, it means that it's attached to a firewall rule. Then click and select on the security profile and hit "References":
Click on the Security Policy Control Service #1:
Go to the firewall rules that have the Profiles attached, double click on the rule, deselect the Profiles at the bottom of the window by clicking "none" and then click ok:
By doing that you will now see that the Application Patrol symbol is gone from the Profile on the firewall rule:
2) Troubleshooting & Increase VPN Throughput
This section will show how to improve performance in your site-to-site VPN tunnel (USG FLEX / ATP / VPN Series), using iPerf testing, crypto-boost CLI command, and avoiding MTU fragmentation with lower packet size, as well as MSS adjustment.
The test environment used 2x ATP200 connected in this topology:
Getting a local WAN address from the office firewall. Neither of the firewalls had traffic on it while performing the tests.
Note! The throughput on the datasheet is using industry-standard test measurements, which do the test measures with UDP packets. TCP traffic is more demanding on the firewall, which means that to get a more realistic VPN throughput, you need to look at the asteriks (*):
"*3: VPN throughput measured based on RFC 2544 (1,424-byte UDP packets)"
*A tip, that we use in the support organization, is to divide the datasheet's throughput by 3 to get a realistic throughput for your firewall
2.1 iPerf Testing through VPN
Download iPerf here: https://iperf.fr/iperf-download.php
Install it, or copy the .exe file into your CMD and run the command after.
You can also follow this article (for wireless connection):
https://support.zyxel.eu/hc/en-us/articles/360017129620-How-to-check-wireless-speed-via-iPerf
You need 2 PCs connected to each site's LAN and they should be able to ping each other.
Disable the Windows firewall if the PC isn't pingable. One PC will act as a "server" and the other one will act as the client. Then you are testing the speed (client) to that server by following the steps below.
2.1.1 Run iPerf on server PC
2.1.1.1 Drag the iperf.exe file to cmd
2.1.1.2 For the server, add "-s" in the command line
So run this command:
%%Path%% -s
2.1.1.3 Press Enter
Example:
2.1.2 Run iPerf on Client PC
2.2.2.1 Drag the iperf.exe file to cmd
2.2.2.2 Add "iperf -c <server IP> -w4M -l 65535 -P 10
So run this command:
%%Path%% iperf -c 192.168.10.33 -w4M -l 65535 -P 10
2.2.2.3 Press Enter
Example:
Disclaimer! Because this is a test VPN environment through a LAN network, the results will be very similar, if not the same.
2.2 Using lower encryption & Authentication
This is the result of a site-to-site VPN with IKEv2 (aggressive mode) AES128, SHA1 encryption:
This is the result of a site-to-site VPN with IKEv1 (aggressive mode) DES & MD5 encryption:
Sometimes the level of encryption and authentication plays a role in the VPN speed. For example, using AES256 is slower than using 3DES, however, there is less security on using 3DES than AES256.
2.3 Using Crypto-Boost command
In ZLD5.10, we did some enhancements to increase IPSec TCP single session throughput
- Distribute the single VPN session to multiple CPUs instead of a single CPU
- Reorder the packet order
This enhancement is disabled by default.
The reason we disable by default: We need more time to clarify whether the VPN session distribution over multiple cores causes any effects to other our critical process running or not. If not, we may enable it on the next FW version.
As the enhancement is still under evaluation, we don't make official testing yet.
How to enable/disable the enhancement:
To enable the enhancement by CLI command, use:
Router(config)# crypto boost-tcp
To disable the enhancement by CLI command use:
Router(config)#no crypto boost-tcp
Here you find how you can make the local test to verify:
Topology:
PC1 -- (LAN) ATP800-A (WAN) ----- IPSec VPN ----- (WAN) ATP800-B (LAN) -- PC2
Test Software: Iperf3
Test Client/Server OS: Windows
Here you will see the differences of IPsec TCP single session throughput:
Running the crypto-boost command using the above steps, the results after running the crypto-boost command:
Router(config)# crypto boost-tcp
2.4 Check fragmentation on WAN
2.4.1 Use Web GUI.
Navigate to Diagnostic -> Network Tool and ping 8.8.8.8 using the correct WAN interface (in this case wan). Then type in extension option -M do -s 1500.
First ping with a packet size of 1500 (-M do -s 1500), then 1492. Then go down with a value of 10, until you find the "(truncated)" packet. Then you go up by 2 until you have a fragmented packet again. The value before is the sweet spot. When you have a truncated packet it means that the packet doesn't need to be fragmented and therefore can be sent with the optimal MTU.
In this example above, the sweet spot for us is 1472 as 1472 is not fragmented but 1474 is.
2.4.2 Use CMD
use this command:
ping www.google.com -f -l 1500
Start with packet size 1500 and go down to 1492, then decrease by a value of 10 (1482 -> 1472 -> 1462 etc.), until you don't have a fragmented packet anymore and ping is responding. Then you increase the value by 2 until you find the "sweet spot" where the packets aren't fragmented anymore.
In this case, we should set the value to 1342 + 28 = 1370.
becaue
MTU = MSS (1342 bytes in this example) + IP header (20 bytes) + ICMP header (8 bytes)
After adjusting the MTU size on the WAN connection:
2.5 MSS Adjustment
Otherwise you can try to manually set the MSS adjustment. This is a trial and error, do the test first with 1400, then 1300. If you get an improvement in setting a custom size of any of these, try the following below:
Example 1: Do you get better throughput using 1300? Try 1340, better than 1300? Use 1340.
Example 2: Do you get better throughput using 1400? Try 1360. Better than 1400? If not, use 1400
You can also calculate MSS using the ping test from step 4:
If you are further interested and want to know more about how to calculate the packet sizes for VPN you can take a look at this article that inspired some of the content in this article:
https://muzso.hu/2009/05/17/how-to-determine-the-proper-mtu-size-with-icmp-pings
Comments
0 comments
Please sign in to leave a comment.