We recently purchased a new software R&D system to allow our offices in New Jersey and Canada to link up. In order...
to secure the data we setup VPN's for every computer connecting to the server at the main office. Everyone who connects using a VPN is complaining that the connection is very sluggish even though they all use DSL or a cable modem. Can you please give me some insight into how I can help these users connect faster? You don't say what type of VPN or VPN products you are using, and that can have A LOT to do with performance. Some possibilities that might or might not pertain to you include:
- Fragmentation - VPNs add headers onto existing packets. If the Maximum Transmission Unit (MTU) size is not adjusted, large packets that once just fit your MTU must be broken in two (fragmented), resulting in twice as many packets. In most cases, MTU path discovery automatically adjusts MTU size, but if fragmentation is your problem, decreasing MTU on your hosts can help.
- Lifetimes - When VPN tunnel lifetimes are very short, the overhead associated with establishing the tunnel can...
become noticeable to end users. If your users are sending very little traffic per tunnel, inactivity timeouts can also come into play. Keep alives and increased lifetimes can help if this is your problem.
- Encryption - Many VPN gateways can encrypt at link speed, particularly if using hardware encryption. However, low-end VPN gateways that perform encryption in software can become a bottleneck, particularly during heavy usage periods. If this looks like your problem, you might be able to use another cipher or shorter key and still meet your security needs. Alternatively, look at expanding your VPN gateway's capacity through hardware acceleration or load sharing.
To start diagnosing the problem, you really need to get a handle on what's going on. Record and compare interface statistics available at various points along the VPN path to spot bottlenecks, places where fragmentation may be occurring, or excessive error rates. Although VPN traffic is encrypted, packet analyzers can still be helpful to get "the big picture" on flow rates -- for example, comparing information captured on two sides of an intervening device that might be a bottleneck. If you can isolate where VPN traffic gets bogged down, you'll have a target for making improvements.
Dig Deeper on Network security
Related Q&A from Lisa Phifer
The choice of a wireless access point vs. a router for wireless network connectivity depends on the physical size of the network, needs of the ... Continue Reading
Licensed frequency bands are reliable and offer better performance than unlicensed frequency bands, which are low cost and easy to deploy but ... Continue Reading
A remote access VPN connects remote users from any location to a corporate network. A site-to-site VPN, meanwhile, connects individual networks to ... Continue Reading