We recently purchased a new software R&D system to allow our offices in New Jersey and Canada to link up. In order
to secure the data we setup VPN's for every computer connecting to the server at the main office. Everyone who connects using a VPN is complaining that the connection is very sluggish even though they all use DSL or a cable modem. Can you please give me some insight into how I can help these users connect faster? You don't say what type of VPN or VPN products you are using, and that can have A LOT to do with performance. Some possibilities that might or might not pertain to you include:
- Fragmentation - VPNs add headers onto existing packets. If the Maximum Transmission Unit (MTU) size is not adjusted, large packets that once just fit your MTU must be broken in two (fragmented), resulting in twice as many packets. In most cases, MTU path discovery automatically adjusts MTU size, but if fragmentation is your problem, decreasing MTU on your hosts can help.
- Lifetimes - When VPN tunnel lifetimes are very short, the overhead associated with establishing the tunnel can...
become noticeable to end users. If your users are sending very little traffic per tunnel, inactivity timeouts can also come into play. Keep alives and increased lifetimes can help if this is your problem.
- Encryption - Many VPN gateways can encrypt at link speed, particularly if using hardware encryption. However, low-end VPN gateways that perform encryption in software can become a bottleneck, particularly during heavy usage periods. If this looks like your problem, you might be able to use another cipher or shorter key and still meet your security needs. Alternatively, look at expanding your VPN gateway's capacity through hardware acceleration or load sharing.
To start diagnosing the problem, you really need to get a handle on what's going on. Record and compare interface statistics available at various points along the VPN path to spot bottlenecks, places where fragmentation may be occurring, or excessive error rates. Although VPN traffic is encrypted, packet analyzers can still be helpful to get "the big picture" on flow rates -- for example, comparing information captured on two sides of an intervening device that might be a bottleneck. If you can isolate where VPN traffic gets bogged down, you'll have a target for making improvements.
Dig deeper on Network Access Control
Related Q&A from Lisa Phifer, Wireless Networking Expert
Wireless expert Lisa A. Phifer explains to what extent WEP cracking remains a worrisome issue. It all depends on your company's WLAN security policy.continue reading
Wireless expert, Lisa Phifer explains that it may not be worth enhancing Wi-Fi ad hoc mode since Wi-Fi Direct is a better alternative for enabling ...continue reading
Wireless expert Lisa Phifer responds to a question regarding a Mi-Fi and Android smartphone mobile hotspot comparison. She provides an in depth ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.