SRX

 View Only
last person joined: 3 days ago 

Ask questions and share experiences about the SRX Series, vSRX, and cSRX.
  • 1.  Slow route-based site-to-site VPN connection between SRX240 and SRX210

    Posted 01-12-2010 11:39

    Hi all,

     

    I am experiencing slow file transfers between my main site that uses an SRX240 and my remote site that uses an SRX210. I am transfering large files from one storage server to another.

     

    For example I am transfering large files between my storage servers roughly around 10 GB and I am assuming I am getting under 100k per second since it's been running for almost a day now

     

    When I copy a 180MB file from my Windows 7 machine to the storage server I get 350K a second transfering a 180MB file.

     

    VPN PROPOSALS

     

    description g2-esp-aes128-sha;
    protocol esp;
    authentication-algorithm hmac-sha1-96;
    encryption-algorithm aes-128-cbc;
    lifetime-seconds 28800;

     

    SPEED TEST RESULTS

     

    My main office

    download = 9MBps

    upload = 7.31 MBps

     

    Remote office

    download = 4.32 MBps

    upload = 1.6 MBps

     

    SHOW SECURITY IPSEC SECURITY-ASSOCIATIONS

     

    DF-bit: clear
        Direction: inbound, SPI: 8254c24e, AUX-SPI: 0
        Hard lifetime: Expires in 17760 seconds
        Lifesize Remaining:  Unlimited
        Soft lifetime: Expires in 17181 seconds
        Mode: tunnel, Type: dynamic, State: installed, VPN Monitoring: UP
        Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
        Anti-replay service: enabled, Replay window size: 64

        Direction: outbound, SPI: 47b73a4c, AUX-SPI: 0
        Hard lifetime: Expires in 17760 seconds
        Lifesize Remaining:  Unlimited
        Soft lifetime: Expires in 17181 seconds
        Mode: tunnel, Type: dynamic, State: installed, VPN Monitoring: UP
        Protocol: ESP, Authentication: hmac-sha1-96, Encryption: aes-cbc (128 bits)
        Anti-replay service: enabled, Replay window size: 64

    I am not sure if this has something to do with my WAN connection speeds or how I setup my VPN's. Is there a way I can dedicate a certain amount of traffic specifically for the site-to-site VPN's and is there anything else I should use to troubleshoot this issue. Any help would be highly apprieciated.

     

    Best Regards,

     

    G



  • 2.  RE: Slow route-based site-to-site VPN connection between SRX240 and SRX210

    Posted 01-12-2010 12:02

    Hi all, I set the security flow tcp-mss mss 1420 on both sites.

     

    On my computer I am getting 512 Kbps transfers

    But on another computer I am getting 33/Kbps transfers

     

     



  • 3.  RE: Slow route-based site-to-site VPN connection between SRX240 and SRX210

    Posted 01-12-2010 23:49

    I have two SRX 240 connect via a T1 VPN and there are no issues.

     

    Try to monitor the interface via the cli or jweb.

     

    cli

    > monitor interface (interface name) fe or ge



  • 4.  RE: Slow route-based site-to-site VPN connection between SRX240 and SRX210

    Posted 01-13-2010 09:06
      |   view attached

    Hi Yipster thanks for your reponse, this is my results when I monitor my interface the speeds still seem slow 20kbps is there a way to set an specific ammount of bandwidth only for a vpn tunnel.

     

    Thanks



  • 5.  RE: Slow route-based site-to-site VPN connection between SRX240 and SRX210
    Best Answer

    Posted 01-14-2010 10:01

    Fixed the issue. MTU set on the tunnel interface is set to 9000 causing alot of fragmentation. FYI change to a lower value


    #vpn
    #Tunnel
    #mtu


  • 6.  RE: Slow route-based site-to-site VPN connection between SRX240 and SRX210

    Posted 08-23-2010 04:29

    HI,

     

    Could you provide the command you did. I tried:

     

    set security flow tcp-mss all-tcp mss 1420 and set security flow tcp-mss ipsec-vpn mss 1420

     

    But when i monitor the st0.0, it still says that the MTU is at 9192

     

    Thanks in advance,



  • 7.  RE: Slow route-based site-to-site VPN connection between SRX240 and SRX210

    Posted 01-19-2011 11:15

    Hi,

     

    I am having a similar issue with a route based tunnel between two srx210s. To adjust the tunnel interface enter the following;

     

    set interfaces <interface name> unit 0 family inet mtu <mtu value>