NetConnect Login is S-L-O-W

Jickfoo_ · ‎01-19-2008

It's intermittent but many users complain about logging into Network Connect. They say it can take up to 2 minutes.

Anyone else have this issue ?

THanks,
Justin

Kevin_ · ‎01-01-2008

Jickfoo -

When are your users experiencing the slowdown? For example, are you applying HostChecker policies to the realm, and users are waiting on HostChecker to complete before they are prompted for credentials? or, are they waiting between entering their credentials and the install/launch of the NC client?

I've got big problems with AD/LDAP authentication in 6.0Rx - but it always fails fast for me. You should be able to nail down Hostchecker problems with logging (watching the time on the dsHostChecker.log entries on the client) and authentication problems with a policy trace.

Good luck!

alan_ · ‎01-20-2008

Is NCP auto enabled? System > Configuration > NCP Auto-Select
Are you using ESP or NCP for transport? Users > Resource Policies > [Select Policy] > Network Connect Connection Profiles
NCP is much slower than ESP.
Is UDP/4500 open from the Internet to the SSL VPN box? If not the client will fall back from ESP mode to "SSL" mode and be much slower.
You can select a different UDP port on the above page.

Jickfoo_ · ‎01-20-2008

These are the settings

ESP , UDP 4500

ESP to NCP Fallback 15 seconds

Key LifeTime 20 Minutes (would increasing to 60 decrease overhead?)

Its the login time that people complain about most. After the login, I setup the role to send them to our corporate Intranet Page.

ben_ · ‎01-20-2008

How do you proof that (o)NCP is (much) slower than ESP? At least in a way that it's noticeable for the user?

We use NC with oNCP / NCP in the connectionprofile, besides that our SSL-VPN is only reachable on port 80,443 from the Internet and it's working fine.
Compared with the IPSec Solution it's as fast or not noticeably slower than the IPSec thing. Neither when just "working" nor when transfering files.

alan_ · ‎01-21-2008

Empirical evidence - running NCP only runs like molasses.
You admit you do not have UDP/4500 open so you're comparing SSL mode with NCP.
I am comparing ESP mode with NCP.

ben_ · ‎01-22-2008

k I did not get that.

I can choose between ESP with NCP fallback or oNCP/NCP directly in the NC Profile.
For my understanding that would mean if e.g. the ESP UDP Port is not reachable, it falls back
to NCP.
If it falls back than it should be the same like oNCP/NCP directly or not?

And what besides ESP / (o)NCP is the SSL mode you are talking about?
Just for my understanding

tia

Paul_Slager_ · ‎01-29-2008

These are all great recommendations but I think you may be looking in the wrong place. If it takes long to sign in then it could be one of your host check policies. What Host-Checks are you using, try elminiating them in a test environment and see if speed is increased till you narrow down the problem child.

I just wanted to add that Alan is 100% correct in saying that ESP is much faster then NCP we have done benchmark tests to prove it.

zanyterp_ · ‎02-28-2008

Are your users logging in via the Network Connect stand-alone application? Or logging into the IVE web GUI and network connect launching from there?

mlitka_ · ‎04-17-2008

Did you ever find a resolution to this issue?

NetConnect Login is S-L-O-W

NetConnect Login is S-L-O-W

Re: NetConnect Login is S-L-O-W

Re: NetConnect Login is S-L-O-W

Re: NetConnect Login is S-L-O-W

Re: NetConnect Login is S-L-O-W

Re: NetConnect Login is S-L-O-W

Re: NetConnect Login is S-L-O-W

Re: NetConnect Login is S-L-O-W

Re: NetConnect Login is S-L-O-W

Re: NetConnect Login is S-L-O-W