We recently purchased a new software R&D system to allow our offices in New Jersey and
Canada to link up. In order to secure the data we setup VPN's for every computer connecting to the
server at the main office. Everyone who connects using a VPN is complaining that the connection is
very sluggish even though they all use DSL or a cable modem. Can you please give me some insight
into how I can help these users connect faster?
- Fragmentation - VPNs add headers onto existing packets. If the Maximum Transmission Unit (MTU)
size is not adjusted, large packets that once just fit your MTU must be broken in two (fragmented),
resulting in twice as many packets. In most cases, MTU path discovery automatically adjusts MTU
size, but if fragmentation is your problem, decreasing MTU on your hosts can help.
- Lifetimes - When VPN tunnel lifetimes are very short, the overhead associated with establishing
the tunnel can... become noticeable to end users. If your users are sending very little
traffic per tunnel, inactivity timeouts can also come into play. Keep alives and increased
lifetimes can help if this is your problem.
- Encryption - Many VPN gateways can encrypt at link speed, particularly if using hardware encryption. However, low-end VPN gateways that perform encryption in software can become a bottleneck, particularly during heavy usage periods. If this looks like your problem, you might be able to use another cipher or shorter key and still meet your security needs. Alternatively, look at expanding your VPN gateway's capacity through hardware acceleration or load sharing.
To start diagnosing the problem, you really need to get a handle on what's going on. Record and
compare interface statistics available at various points along the VPN path to spot bottlenecks,
places where fragmentation may be occurring, or excessive error rates. Although VPN traffic is
encrypted, packet analyzers can still be helpful to get "the big picture" on flow rates -- for
example, comparing information captured on two sides of an intervening device that might be a
bottleneck. If you can isolate where VPN traffic gets bogged down, you'll have a target for making
This was first published in June 2004