Increasing VPN Client tunnel performance

Article:TECH80194  |  Created: 2002-01-21  |  Updated: 2003-01-05  |  Article URL
Article Type
Technical Solution



Your client VPN tunnels are experiencing high latency or slower throughput than expected. For instance, file transfers through the VPN tunnel take extended periods of time, or client requests such as telnet or FTP receive slow responses.


VPN Client performance depends on several factors including processor (CPU) power, levels of encryption, Internet connection bandwidth, and others. Use the following information to troubleshoot VPN performance issues:

The following items affect VPN performance
On the client
    • CPU processing power of the client computer.
    • Bandwidth (speed) of the Internet connection.
On the server
    • CPU processing power of the firewall/VPN server.
    • The VPN Policy being used for the tunnel such as encryption and integrity level, data compression, and rekey intervals.
    • Proxy analysis of packets (configuration of rules to pass traffic to the proxy services).
    • NAT types, if being used.
    • The patch level of the firewall/VPN server.

Techniques to increase VPN tunnel performance
Try the following techniques to improve the performance of the VPN tunnel:
    1. On the client
      1. Increase CPU processing power.
      2. Eliminate or stop nonessential processes that use CPU time.
      3. Increase the bandwidth of the Internet connection by using direct access (cable/DSL) in place of dial-up connections, if possible.
    2. On the server
      To free memory, stop unnecessary proxy services on the firewall such as SQLNetd, NNTPd, and others.

      Note: Disabling proxy daemons lessens the ability of the firewall to fully examine packets at the application layer and may lower the degree of security established on the system. Only disable proxy services if you are certain that they are not in use by the firewall either directly (for instance, DNSd) or indirectly (in rules). If you are not sure of the effect of disabling certain proxy services, consult a Technical Support representative before disabling proxy services.

    3. Tunnel Parameters
      1. VPN Policy parameters
        1. Disable Compression on the VPN Policy
        2. Set rekey limits to their defaults (Data Volume: 2100000, Lifetime: 480, Inactivity: 0)
        3. You may also try using a DES VPN Policy in lieu of a 3DES VPN Policy if CPU power is a concern.
      2. Disabling/Enabling VPN tunnel use of the Proxy Services
        1. In most cases, a VPN Policy that uses the Proxy services is only required when the administrator wishes to:
          1. Restrict access to services through the tunnel (for instance, only telnet is allowed through the tunnel)
          2. NAT'ing is necessary for packets to return to the firewall (that is, the internal hosts behind the firewall/VPN server do not use the firewall/VPN server in any way, shape or form as their default gateway).
        2. If you do not need to restrict access to specific services through the tunnel (all ports and protocols are allowed through a VPN tunnel to the defined Local Entity of the Secure Tunnel) and, NAT is not necessary because internal hosts use the firewall/VPN server as their default gateway, this setting can be disabled. However, if you wish to restrict services to the tunnel or must use the NAT feature of the firewall/VPN server, this setting must be enabled.
        3. To disable the Proxy Services feature, on the VPN Policy used by the tunnel, clear the "Pass Traffic from the Secure Tunnel to the Proxy Services (Required for NAT)" check box.
    4. Proxy Services
      There are several rule-based items you can analyze and change to improve the throughput of a VPN tunnel that uses the Proxy services:
      1. Make the VPN rules as specific as possible (including Source, Destination, Out Via, and the Services). If possible, try to avoid multiple rules identifying as a source as the firewall scans the entire rule database to determine a "best fit" application.
      2. If possible, avoid using "all*" as a service in rules, but rather specify the individual services for the VPN rule.
      3. Disable "Log Normal Activity" (on the Miscellaneous tab). This will stop the Logging daemon from logging activity that this rule applies to.
      4. Disable "Application Data Scanning." Disabling this feature invokes the FastPath mechanism (HTTP) or the Kernel Proxy (all other Proxy services) for those services that apply to the specific rule. For information on FastPath and the Kernel Proxy, review the Firewall documentation provided with your product.
    5. Address Transforms
      If you need to use Address Transforms (the firewall/VPN server NAT functionality), try the following to improve performance:
      1. Use the "Use Gateway Address" option in the Address Transform in place of a NAT pool.
      2. Make the Address Transform specific to your VPN Tunnel (the "best fit" method applies to Address Transforms as it does to rules. See item 4.1, above), and leave the default VPNTunnelExitTransform and VPNTunnelEntryTransform at their defaults.

    Legacy ID


    Article URL

    Terms of use for this information are found in Legal Notices