This Content Component encountered an error

We recently purchased a new software R&D system to allow our offices in New Jersey and Canada to link up. In order to secure the data we setup VPN's for every computer connecting to the server at the main office. Everyone who connects using a VPN is complaining that the connection is very sluggish even though they all use DSL or a cable modem. Can you please give me some insight into how I can help these users connect faster? You don't...

say what type of VPN or VPN products you are using, and that can have A LOT to do with performance. Some possibilities that might or might not pertain to you include:


  • Fragmentation - VPNs add headers onto existing packets. If the Maximum Transmission Unit (MTU) size is not adjusted, large packets that once just fit your MTU must be broken in two (fragmented), resulting in twice as many packets. In most cases, MTU path discovery automatically adjusts MTU size, but if fragmentation is your problem, decreasing MTU on your hosts can help.


  • Lifetimes - When VPN tunnel lifetimes are very short, the overhead associated with establishing the tunnel can... become noticeable to end users. If your users are sending very little traffic per tunnel, inactivity timeouts can also come into play. Keep alives and increased lifetimes can help if this is your problem.


  • Encryption - Many VPN gateways can encrypt at link speed, particularly if using hardware encryption. However, low-end VPN gateways that perform encryption in software can become a bottleneck, particularly during heavy usage periods. If this looks like your problem, you might be able to use another cipher or shorter key and still meet your security needs. Alternatively, look at expanding your VPN gateway's capacity through hardware acceleration or load sharing.

To start diagnosing the problem, you really need to get a handle on what's going on. Record and compare interface statistics available at various points along the VPN path to spot bottlenecks, places where fragmentation may be occurring, or excessive error rates. Although VPN traffic is encrypted, packet analyzers can still be helpful to get "the big picture" on flow rates -- for example, comparing information captured on two sides of an intervening device that might be a bottleneck. If you can isolate where VPN traffic gets bogged down, you'll have a target for making improvements.

This was first published in June 2004

Dig deeper on Network Access Control



Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: