Again, low/high throughput scenarios could also mean using two different protocols, such as smb and ftp (please bear in mind that smb is known to have the worst performance). Always clarify which protocols are used (smb, http, ftp, etc.), location of the clients/servers, and Internet link speeds. The network path (between client and server) usually passes several devices and links, and the conditions are changing dynamically (CPU/link utilization, load, buffers, and so on).Īlways try to collect a minimum of two sets of data for "low throughput" and "high throughput" scenario, so you have a baseline that you can use to compare.
#Palo alto networks vpn udp performance download#
With or without VPN client, you will have different download speeds measured if you try to download the same file multiple times. In other words, the throughput depends on several factors. Performance related issues are not easy to troubleshoot. General issues, limitations and recommendations The primary reason is that the throughput depends on several factors and each setup is different. It will be difficult to give numbers on the expected throughput difference between GlobalProtect client versus non-GlobalProtect client scenarios. TCP inside TCP encapsulation (no control over underlying TCP layer).Time needed for the operation depends on the current client/firewall load.Both the client and the firewall have to encrypt/decrypt and encapsulate/decapsulate traffic, which will introduce processing delays.It is expected for the throughput to be slower when the GlobalProtect client is being used as opposed to non-VPN or direct connection.
GlobalProtect client-related issues (i.e., slow throughput when using GlobalProtect client) That is the main reason why we would recommend, if you're experiencing slow throughput (when using SSL), to migrate to IPsec whenever possible.īelow are a few ideas/suggestions/limitations regarding this topic. What that means is that the GlobalProtect (GP) client and/or firewall doesn't have control over the underlying TCP layer (error detection, flow control, congestion control), which is slowing down the throughput.
#Palo alto networks vpn udp performance how to#
Here is some great information on how to troubleshoot performance related to GlobalProtect.įirst of all, please bear in mind that SSL VPN is not designed to be efficient (it is best effort and not designed for high throughput) mostly because it's TCP-based (TCP inside of TCP).
This limitation is due PAN-OS architecture where each IPsec tunnel session is processed by only one core and each core encapsulate a maximum of 300 Mbps of traffic and decapsulate another 300 Mbps of traffic combining to get a bidirectional throughput of 600 Mbps In this case PA-VM is giving around 550 Mbps throughput To know the precise throughput of IPsec tunnel, either FW should be just passing the IPsec traffic, or one can rely on the client/server being used for testing. Number of sessions created since bootup: 660498175Ībove highlighted Throughput in the CLI output is a global value for firewall and not just for IPsec tunnel Log in to the firewall CLI and execute below CLI command: Bi-directional throughput for traffic across IPsec tunnel is limited to 600 Mbps which results in application slowness, latency and packet loss issues for data traversing across the tunnel.
0 kommentar(er)
