Re: Very slow SSL VPN

davegibelli_ · ‎08-27-2014

When users connect to an SA6500 using IE we notice very slow network connectivity via HTTP. FTP is OK.

How do I fault find this situation?

vcl_ · ‎08-29-2014

This is a really brief description

What I'll do in this case:

- Isolate the exact pattern (all users/a group/a few), all IE11/IE mixed version/other

- Then take some traces on a pattern matching user (policy trace, tcpdump client AND IVE side (internal/external) with dsrecord

- If FTP is OK and HTTP is slow, for me could be: Proxy settings in IE? Backend Application? QoS settings on network?

Vincent

davegibelli_ · ‎09-02-2014

Vincent

I have done more testing. The laptop with the problem is a Lenovo X300 running XPSP3 32bit and Juniper SA6500.

If I do a speed test without connecting to the SA6500 I get 4.7Mbits/sec

When connected to the SA6500 this drops to 0.6Mbits/sec

I did a clean install of XPSP3 and the speed drops. If I use a different Lenovo laptop, I tried T500 and T61 I do not get the speed drop.

This fault must be an interaction between the Juniper SSL software and the drivers(s) or hardware.

I really need help now!

vcl_ · ‎09-02-2014

Well, at this point if this is a compatibility problem and not a configuration one, the only suggestion I have is to open a TAC case.

Vincent

-red-_ · ‎09-02-2014

Assuming you are using Network Connect or Pulse,I would be curious whether you're using ESP or SSL as your transport, and if you are seeing performance difference between the two.

davegibelli_ · ‎09-04-2014

Changing between ESP and SSL made no difference to the speed.

We always get 0.6Mbits/sec download no matter what the ADSL line speed is. Without NC we get whatever the line speed is.

I am trying to open a TAC case...this is an interesting fault.

Kita_ · ‎09-04-2014

Please provide the case number. At this point, I am assuming there is an issue between the SA and backend resource. We would need the following set of data&colon;

http://www.juniper.net/techpubs/software/ive/guides/troubleshooting/How_to_Performance_Logs_for_NC_P...

This should help us root cause the issue.

-red-_ · ‎09-05-2014

Are you allowing split tunneling?

When running speed test while NC session is established, is all your traffic traversing the VPN tunnel, then going back out via your company's internet pipe, or are you going direct to the resource?

zanyterp_ · ‎09-07-2014

Same driver set on the failing machine(s) as the working? Same role as the other systems? Is compression disabled? Ssl acceleration state?

davegibelli_ · ‎09-11-2014

Hi

There is no split tunnel. The traffic is coming into the network via the internet and back out, however, the pipe is 100Mbit and only peaking at 25Mbit of traffic. Also, if I test during the night the traffic is still 0.6Mbit...

The drivers will be different due to different hardware but the same driver is OK when the VPN is not active, i.e. no VPN I get 4.7Mbits. The role is always the same as I setup a test role, we have other roles and realms all are restricted!

TAC has suggested changing compression but that makes no difference. The case number is 2014-0903-0819, if this was a simple problem I wouldn't need help!