Forum Discussion

munnay02_288100's avatar
munnay02_288100
Icon for Nimbostratus rankNimbostratus
Sep 22, 2016

internet speed decrease after connecting VPN

i have Airtel broadband connection at my home with speed of 16 Mbps, i get almost 15.5 Mbps while using wifi on my system and phones, but if i connect system with RSA in order to connect with office network the speed get reduced drastically and it comes down to 2-3 Mbps,

 

4 Replies

  • Have look if the F5 VPN is using TCP or UDP for its tunneling protocol. This is a common problem with TCP over TCP connections when working with unstable network connections such as Wifi. Basically what happens is the wifi connection looses a packet (5-25% packet drop is quite likely over wifi), after which both the tunnel TCP session, as well as the inner TCP session are trying to recover their connection, causing a bit of a snowball effect if during the recovery process another packet gets lost.

     

    The solution is to enable DTLS on the F5 VPN connection; https://support.f5.com/csp/article/K54955814

    This enables the outer tunnel to use UDP instead of TCP, meaning that if a packet gets lost, only one TCP session needs to recover its session, which doesn't cause the snowball effect.

     

    I've seen this myself a few times where people are working over unstable connections but not notice it until they connect to a VPN and the speed dropped to 10% of their normal speed - or less. Switching to DTLS brought the speed back to roughly 90% of its normal speed.

  • a VPN will always cause speed to be lower. 7-8 times might be a bit much, but that can also be an issue with to wherever you connect. i would work with the person who setup the big-ip and check if they recognize this.

     

  • This is not happen with Palo alto Grobal protect client.

    I am using both bigIP f5 vpn and Global protect vpn. and there are huge difference of speed.

    Global protect never decrease speed and it is very fast

  • I agree with the DTLS option should be tested.

     

     

    I work with F5 and Palo Alto. The Palo Alto globalprotect gateway in many cases uses first ipsec on an UDP port and only when if it fails switches to TLS VPN over TCP. F5 APM Edge client supports TLS VPN and DTLS VPN. Think as F5 APM DTLS being the same as Palo Alto IPSEC over UDP which in many cases has better performance than TLS over TCP (the normal SSL VPN).

     

     

    https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/firewall-administration/reference-port-number-usage/ports-used-for-globalprotect.html

     

     

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClXPCA0

     

     

     https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PPY1CAO

     

     

     

    I suggest also reading this for the Edge Client and a slow VPN:

     

     

    https://support.f5.com/csp/article/K32311645