SRX IPsec VPN poor throughput

I recently came against an issue of slow throughput on a IPsecVPN between two SRX220’s. The SRX220 is capable of around 100Mbps according the spec sheet, with an IPsec VPN.

The issue I was seeing was around 25Mbps over the VPN. The connection between the two SRX’s is just a L2VPN interconnect, so I wouldn’t have thought this to be the issue. If it was a 3rd party Ethernet or ADSL would of lead me more down the path of checking connectivity.

Further investigation lead me to find out that from the customer that on the end of the SRX’s are 2x SAN’s with MTU 9000. this lead me to finding out that the VPN on the SRX is capable of MTU 1350. So by this the packets are being fragmented causing the lower throughput of the VPN.

With the following article LINK

Setting the following two commands on both SRX’s resolved the issue it did take a while for it to take affect so I would suggest applying and checking the next day to see any improvement.

set security flow tcp-session no-sequence-check
set security flow tcp-mss ipsec-vpn mss 1350

