We have just had a PSA-3000 installed a couple of weeks ago and was supposed to deploy it production last week, but we're having performance problems with the Pulse Desktop client on Windows. We simply don't get the throughput that we expect.
We have tested from a remote network that has a 300/60 connection. If we connect in SSL mode, then we only get around 35-40 Mbit/s throughput. If we enable ESP then it rises to around 60 Mbit/s. This is much lower than with our current solution that can deliver at least 120 Mbit/s. That is a SSTP VPN with the the built-in Windows VPN client and the server is a software based solution called SoftEther, but the performance is the same with a Windows RRAS VPN server.
When using Pulse Desktop client on a Mac, on the same network, we get around 100-120 Mbit/s, so that is acceptable, but why is the performance much lower on Windows? We have only done tests on Windows 10 for now, but both on our domain joined PC's and on a private computer that is not domain joined, to rule out any Group Policy restrictions.
I have briefly tested Network Connect and the result was comparable to Pulse Desktop Client.
No. We're not using bandwidth management at all... And I'm still the only user on the system since we're still testing, so it's not because of the load.
It looks like the latest R3 relase increased throughput in ESP mode sligtly, so I'm guessing it's a software issue. We're practically only getting half the expected speed in ESP mode and only third of the speed in SSL mode, compared to the other SSL solutions we're using
Thank you for the update; I am glad to hear that 8.2R3 has helped with the behavior For ESP, we expect better than what you are seeing as well. When you have some time, please collect the logs as outlined in the performance troubleshooting guide (Windows [https://www.pulsesecure.net/download/techpubs/current/433/pulse-connect-secure/pcs/8.2rx/How_To_Performance_Logs_for_NC_Pulse_Windows.pdf] & Mac [https://www.pulsesecure.net/download/techpubs/current/432/pulse-connect-secure/pcs/8.2rx/How_To_NC_Performance_Logs_MAC.pdf]) and then open a case so we can look for ideas. Is it possible to put a client on the same subnet/switch as the PCS and test? Is the switchport & link speed on the ports both set to 1000/full?
I already have a case open, 2016-0502-0787, but the progress is kind of slow and I wanted to hear if anyone in the community would have any suggestions.
I have tried to connect my computer to the switch were the PSA-3000 is connected and then connect with the client. It was my understanding that even though I was on the LAN, then the client would force all traffic through the appliance (when configured to it). With that test I got the "expected" around 15 MB/s (120 Mbit/s) of throughput.
When I'm off the network and remoting in, then I get much less, but only on Windows...
Thank you for doing the test & the case number. If you are using split tunneling disabled, yes, everything would go through the appliance; if not, the protected resources would _most likely_ be triggered as something to not send through the tunnel. But if you are already using split tunneling disabled and are getting better speeds locally, that is odd that something is triggering on the OS in such a way Does the firewall/switch/router in front show any logs that may indicate anything?
When I did the local test, then I made sure that split tunneling was disabled and the access to local resources was disabled so that everything should go through the appliance. At since I "only" got around 120 Mbit/s, and not full gigabit speed then it seemed like it did.
The firewall in front doesn't show anything strange and all traffic just flows through. It would be pretty difficult to test without the firewall, since it would require significant configation changes, so that would be the absolutely last resort. Since other solutions perform just fine through the same firewall, with the same kind of rules, then I don't think that the error lies there.
Can anyone tell me what performance can be expected in ESP and SSL mode in a best case scenario, like copying one big file?
seeing this one year old topic, did you ever receive a solution for this issue? We're facing very similar problems here, with download speed with TLS much less than expected, ESP a bit faster but still not very good.
No I never got a solution for this. We've been running with the solution ever since and I never got a single complaint from the users so I didn't follow up on it.
We're running a bit behind the latest versions but i plan to update the appliance in the next couple of weeks and then I will test it again. It really did seem like software issue with the Windows client.