Smart questions
Smart answers
Smart people
Join Tek-Tips Forums
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Member Login




Remember Me
Forgot Password?
Join Us!

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips now!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!

Join Tek-Tips
*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.
Jobs from Indeed

Link To This Forum!

Partner Button
Add Stickiness To Your Site By Linking To This Professionally Managed Technical Forum.
Just copy and paste the
code below into your site.

Extremely Slow SonicWall 2040 to TZ-170 VPN

Kevin25a (IS/IT--Management) (OP)
5 Mar 07 16:30
I did a search and didnt find anything on this issue, but I'm hoping someone here has some insight into the problem.

I currently have a Sonicwall Pro 2040 standard OS in my corporate office, connected to a T-1.  I have 2 TZ-170's located in remote offices, connected to 6mb down, 768kb up ADSL circuits.

We are running a Windows 2003 server environment, and have a AD File server, DNS, and Wins server at each location.

The VPN connections are set up in standard mode, bandwidth is gauranteed at 256kb min 512 kb max, Encryption set to IKE, MD5.

When remote users behind the TZ-170's browse file shares on the corporate servers, the response is acceptably quick. The problem comes in when they attempt to open a MS Office document, image etc. across the VPN.  There is a 30-90 second lag before the file starts transfering to the application to be used, so depending on the size of the spreadsheet or file it may take 2-5 minutes before the user can actually start editing the file.

We have tried Null encrypted tunnels, verified the MTU size of each network to eliminate packet fragmenting, run through all possible Qos Size gaurantes, Verifed remote users are accessing the DNS/Wins server local to thier office, run many speed tests, and line quality tests and all the circuits test clean and fast. Nothing we have tried has had any positive impact in performance.

SonicWalls recommendation was to tell the users to copy the file over then edit it. This is not realistic since the spreadsheets etc that are being accessed are HR related for the most part, and cannot be replicated, or copied out of the corporate office, only edited as needed.

Does anyone have any ideas?

Thanks in advance for your input!



technome (IS/IT--Management)
6 Mar 07 13:33
With the bandwidth you have your expecting too much. Unless your have a massive bandwidth pipe (requiring tons of money), do not expect to open Office files quickly. If you want speed with you present bandwidth, look into Terminal services. With a reasonably fast TS server >2 Ghz, and a decent amount of ram, you can access/open files faster than most WKS (if not all) on the local LAN can.

........................................
Chernobyl disaster..a must see pictorial
http://www.kiddofspeed.com/default.htm

Kevin25a (IS/IT--Management) (OP)
6 Mar 07 13:55
I would whole heartedly agree, except that the remote sites previously had a small 256k point to point Frac T, which carried all thier web browsing, VOIP, and file access to the home office, and the time it took to open these files was not an issue.

So we increase the available bandwidth by a factor of 3, put it on a VPN, and performace Halves what it was on the point to point. I have to believe we are missing something in the configuration of these VPN connections.
tck307 (IS/IT--Management)
22 Mar 07 18:55
Kevin,

We are having almost the exact same issues at my new job:

a vpn tunnel between 2 1260's with almost the same exact bandwidth you describe and better performance over the old shared T1.

We also have a homegrown app that telnets to a server in main office.  This response is also horrible.

When I TS in to a machine in that office, the response is fine however. I am a little green at SonicWall VPN but there has to be some configuration missing. Please post if you find a solution, as will I.
centraladminman (MIS)
22 Mar 07 19:19
You could try decreasing the encrytion to its lowest level.

You can also use a program to test link speeds between sites.  Try the link listed below.  I have not actually used the software other than the internet bandwidth test but it might help.  They have a 15 day free trial.

http://www.myspeed.com/index.html

If you run the bandwidth test you could see exactly what you are getting for upload.

You could even try changing your gateway settings on a PC so your internet goes through your VPN and then run the test.  This might quickly give you an idea at least what throughput you are actually getting.

Also, do you have any of the security services running?  I know the Gateway anti-virus and really decrease spead.  

Have you looked at the CPU diag at all?

  
Kevin25a (IS/IT--Management) (OP)
23 Mar 07 11:02
We have the encryption set to md5 and des at the moment, and have even set up the tunnel with Null encryption to do some testing (No difference in performance).  

I downloaded and ran the app you suggested and from remote site 1 we are getting a steady 1.36 down, and 585 up. CPU Diag shows >10% utilization even at peak times on both ends of the VPN, so its not even close to processor bound.

We do have CFS turned on, but AVS is disabled. We upgraded the PRO 2040 to the advanced OS over the weekend, and that seems to have helped a little at least in respect to the Tunnels being consistant at a given speed instead of all over the map.

One of the things we did notice is that because of the SBC infrastructure in California (All DSL traffic is routed through thier NOC in LA) there are times when we have up to 12 hops to go about 12 miles (San Francisco/San Jose/LA/and back)this seems to be adding some latency, but still not enough to explain the poor performance.

We have installed a Terminal Server as an interim solution, but it still burns me up that we cant nail down why these sonic walls seem to perform so badly site to site.
beholder95 (TechnicalUser)
10 Apr 07 10:19
The issue between the DSL and the Fract T1 speed difference is because the DSL isn't guarenteed speed but rather Best Effort. The Fract T1 is guarenteed and instant.

I switched 1 office off a Fract T1 (384k) to a 6MB down 2MB Up cable modem as it was only 1 person. This works fine for VOIP and Internet wtih 1 person, but i wouldn't do any more then this and this VPN is Cable on one end and T1 on the HQ end so we are only facing this "best Effort" connecton on 1 end.
If you have "Best Effort" connectiosn on both end this may be your issue as all the available bandwidth isn't there right away it ramps up. So if you request a file it asks for it, then starts transfering it, and the speed steadily tries to increase until the max is reached. With a Guarenteed connection this would just be transfered at the max speed.

Because the VPN is also using some of the bandwidth as well as any AD / DNS/ WINS traffic, not to mention regular network Multicast traffic.

If you want to use "best effort" connections you probably want to go really high, like 6Mb down 2Mb up.
Just look at it this way, I pay $90 a month for this 6Mb Down/ 2Mb up Cable connection through Cox in the branch office.
In the HQ office i just repalced my 1.53Mb UP/DN T1 ($549/month) with a 2Mb UP/DN Optical ($710/mo).

You get what you pay for.

I have a Point to Point T1 connecting my HQ to my larger Branch office at 1.53 Mb and this is about $1,000 a month as it has a T1 in the HQ and a T1 in the branch. This is through PaeTec. I got a quote on a Fiber Link between the two offices through cox and it's $440 a month for this link as Cox doesn't charge you for the line on each end, just one fee (and this is for 2Mb) so when my contract is up on Nov i'll switch to that.

You may want to see if you have optical internet available to you, it seems to me it's more economical then DSL or T1 connections.

Eitherway i think you'll need more speed for this solution to work.

Sorry to down in all that info, but just trying to give you some advice.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members!

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close