SRX IPsec VPN poor throughput

I recently came against an issue of slow throughput on a IPsecVPN between two SRX220’s. The SRX220 is capable of around 100Mbps according the spec sheet, with an IPsec VPN.

The issue I was seeing was around 25Mbps over the VPN. The connection between the two SRX’s is just a L2VPN interconnect, so I wouldn’t have thought this to be the issue. If it was a 3rd party Ethernet or ADSL would of lead me more down the path of checking connectivity.

Further investigation lead me to find out that from the customer that on the end of the SRX’s are 2x SAN’s with MTU 9000. this lead me to finding out that the VPN on the SRX is capable of MTU 1350. So by this the packets are being fragmented causing the lower throughput of the VPN.

With the following article LINK

Setting the following two commands on both SRX’s resolved the issue it did take a while for it to take affect so I would suggest applying and checking the next day to see any improvement.

set security flow tcp-session no-sequence-check
set security flow tcp-mss ipsec-vpn mss 1350

Advertisements
Tagged , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: